What does the ‘firewall local-valid-users’ command do?

Aruba Employee
Aruba Employee

Product and Software: This article applies to all Aruba controllers with ArubaOS 3.3.2 and later.


The validuser session ACL is used to protect the user table. This ACL helps prevent a misbehaving user from filling up the user table with bogus addresses or even addresses of trusted machines. When the user table is full, no other users can access the system and gain connectivity. If a trusted machine is in the table, connectivity to that machine is impacted.

Unfortunately, it is difficult to maintain the ACL in large, geographically-diverse networks. When user subnets and server subnets are added routinely, this ACL must be updated constantly.

If the 'firewall local-valid-users' command is enabled, the controller will permit the address, even if the validuser ACL denies the IP address, as long as the address is a member of a directly connected subnet. Specifically, if the controller has an IP interface in the subnet of which the IP address is a member, the IP address is added to the user table if this second lookup is enabled.

With RAPs present, the validuser ACL should be configured to permit L2TP (UDP 1701) to the RAP controller.

To enable this feature, issue this command:


(Aruba) (config) #firewall local-valid-users


To verify that this is enabled, issue this command:


(Aruba) (config) #show firewall

Global firewall policies
Policy                                                                            Action   Rate   Slot/Port
------                                                                                 ------   ----   ---------
Enforce TCP handshake before allowing data             Disabled
Prohibit RST replay attack                                                 Disabled
Deny all IP fragments                                                         Disabled
Prohibit IP Spoofing                                                             Enabled
Monitor ping attack                                                              Disabled
Monitor TCP SYN attack                                                     Disabled
Monitor IP sessions attack                                                Disabled
Deny inter user bridging                                                    Disabled
Log all received ICMP errors                                            Disabled
Per-packet logging                                                             Disabled
Session mirror destination                                               Disabled
Disable Stateful SIP Processing                                     Disabled
Allow tri-session with DNAT                                             Disabled
Disable FTP server                                                                 No
GRE call id processing                                                     Disabled
Session Idle Timeout                                                        Disabled
VOIP proxy arp                                                                    Disabled
WMM content enforcement                                              Disabled
Session VOIP Timeout                                                     Disabled
Disable Stateful H.323 Processing                               Disabled
Only allow local subnets in user table                        Enabled
Monitor/police CP attacks                                                Enabled    100/sec
Rate limit CP untrusted ucast traffic                              Disabled
Rate limit CP untrusted mcast traffic                            Disabled
Rate limit CP trusted ucast traffic                                  Disabled
Rate limit CP trusted mcast traffic                                Disabled
Rate limit CP route traffic                                                Disabled
Rate limit CP session mirror traffic                              Disabled
Rate limit CP auth process traffic                                 Enabled    2 Mbps
Session mirror IPSEC                                                     Disabled

Version history
Revision #:
1 of 1
Last update:
‎07-01-2014 01:39 PM
Updated by:
Labels (1)
Search Airheads
Showing results for 
Search instead for 
Did you mean: