How does the "firewall local-valid-users" command protect the user table?

Aruba Employee
Aruba Employee

Product and Software: This article applies to all Aruba controllers with ArubaOS 3.3.2 or later.


The validuser session Access Control List (ACL) is used to protect the user table. It helps prevent a misbehaving user from filling up the user table with bogus addresses or even addresses of trusted machines. When the user table is full, no additional user can access the system and gain connectivity. If a trusted machine is in the table, connectivity to that machine is impacted.


Unfortunately, it is very hard to maintain the ACL in large, geographically-diverse networks. When user subnets and server subnets are added routinely, this ACL must be constantly updated. At one customer, the pain is so great that the entire system is viewed negatively.


To make it easier to maintain the validuser ACL, a second lookup was added. If the validuser ACL denies the IP address, the controller will permit the address if it is a member of a directly connected subnet. Specifically, if the controller has an IP interface in the subnet of which the IP address is a member, the IP address will be added to the user table if this second lookup is enabled. The command is called "local-valid-users".


With RAPs present, the validuser ACL should be configured to permit L2TP (UDP 1701) to the RAP controller.


The command to allow local subnets in the user table is:

(config) #firewall local-valid-users

Version history
Revision #:
1 of 1
Last update:
‎07-05-2014 10:25 AM
Updated by:
Labels (1)
Search Airheads
Showing results for 
Search instead for 
Did you mean: