Will Deny Inter User Traffic or Bridging deny all the traffic generated from one client to another?

MVP Expert
MVP Expert
Requirement:

This KB is applicable for the controller running any AOS 6.x or AOS 8.x version



Solution:

Firstly, lets understand the Similarities and Difference between Deny Inter User Traffic and Deny Inter User Bridging

 

Similarities between Deny Inter User Traffic and Deny Inter User Bridging:


When these knobs are enabled, the unicast client traffic generated from one untrusted client to another untrusted client would be blocked by the mobility controller.

 

Difference between Deny Inter User Traffic and Deny Inter User Bridging:

 

Deny Inter User Traffic

Deny Inter User Bridging

 

  1. Can be configured under Virtual AP(per SSID) profile and under Global Firewall. 
     
  2. This knob blocks the Layer-2 and Layer-3 unicast IP traffic from one untrusted client to another

 

  1. Can be configured in Global firewall only.
     
  2. This knob denies the Layer-3 non-IP traffic like Appletalk or IPX from being forwarded from untrusted client to another.

 

Note:  As the above definition says, only ​the unicast traffic would be blocked. Layer-2 or Layer-3  Multicast/Broadcast traffic generated from one client to another would still be forwarded by the controller and would be seen on the other untrusted clients in the network.



Configuration:

Enabling Deny Inter User traffic from Virtual AP profile


(Aruba-Controller) # configure terminal

(Aruba-Controller) (config) #wlan virtual-ap "VAP-tester"

(Aruba-Controller) (Virtual AP profile "VAP-tester") #deny-inter-user-traffic

 

Enabling Deny Inter User traffic and bridging from Global firewall


(Aruba-Controller) #configure t

(Aruba-Controller) (config) #firewall deny-inter-user-bridging

(Aruba-Controller) (config) #firewall deny-inter-user-traffic


Verification

Verifying these knobs being enabled:

(Aruba-Controller) #show wlan virtual-ap  "VAP-tester" | include Deny

Deny inter user traffic                         Enabled

Deny time range                                 N/A

 

(Aruba-Controller) #show firewall | include Deny

Deny all IP fragments                        Disabled                                                     

Deny inter user bridging                     Enabled                                                      

Deny inter user traffic                      Enabled                                                      

Deny source routing                          Disabled   

 

Verification with client packet capture:

 

Here we have two clients which are connected to the SSID called Tester where Deny inter user traffic and inter-user-bridging is enabled  

 

(Aruba-Controller) #show user-table

Users
-----

    IP           MAC            Name     Role           Age(d:h:m)  Auth  VPN link  AP name  Roaming   Essid/Bssid/Phy                     Profile            Forward mode  Type    Host Name
----------  ------------       ------    ----           ----------  ----  --------  -------  -------   ---------------                     -------            ------------  ----    ---------

10.10.10.4  3c:f0:11:ef:a6:a0            authenticated  00:00:00                    AP1      Wireless  Tester-SSID/18:64:72:c2:3f:b0/a-HT  default-dot1x-psk  tunnel        Win 10 
10.10.10.6  80:00:0b:52:d4:6a            authenticated  00:00:00                    AP1      Wireless  Tester-SSID/18:64:72:c2:3f:a0/g-HT  default-dot1x-psk  tunnel               


User Entries: 2/2​
Curr/Cum Alloc:2/46 Free:1/44 Dyn:3 AllocErr:0 FreeErr:0


Common broadcast and multicast packets seen across two clients are ARP,DHCP,SMB, NBNS, LLMNR, SSDP, MDNS, IGMP etc.,

Following is the screenshot from each client with the filter of  its own IP address and other client’s IP address (ip.addr == 10.10.10.4 || ip.addr == 10.10.10.6)
 

Client 1: IP address – 10.10.10.4

 

 

Client 2 : IP address – 10.10.10.6

 

We see the multicast and broadcast traffic generated from one untrusted client to the other untrusted client and vice versa.

 

Similarly, we initiating ping(ICMP) from client 1 to client 2 in which a unicast IP protocol. we can see that the client 1 is sending the arp broadcast to know the client 2's IP address to know its mac address. But ping is not successful, we see the result is Destination host unreachable. Let's see from the pcap as to what happens

Unicast traffic:

Client 1: IP address – 10.10.10.4
 

C:\>ping 10.10.10.6

Pinging 10.10.10.6 with 32 bytes of data:
Reply from 10.10.10.4: Destination host unreachable.
Reply from 10.10.10.4: Destination host unreachable.
Reply from 10.10.10.4: Destination host unreachable.
Reply from 10.10.10.4: Destination host unreachable.

Ping statistics for 10.10.10.6:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

 ​

 

Client 2: 10.10.10.6

 


From the above packet capture we can see that the client 1's broadcast ARP request can be seen on client 2 and the client 2 responds to that ARP request with a unicast ARP response.

That unicast ARP packet will be dropped by the controller and hence there will be no ARP resolution for client 2 in client 1, there will be no TCP 3 way handshake, eventually the client 1 thinks client 2 is not reachable.

 

Version history
Revision #:
2 of 2
Last update:
2 weeks ago
Updated by:
 
Labels (1)
Contributors
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: