This articles details on the settings that need to be enabled on Instant AP that deny guest clients from talking to each other and to the wired users of same vlan.
Generally, in most customer premises guest vlan is separate from internal vlans and their access is restricted only to Internet. But, in smaller or temporary environments, such as hotspots or at a coffee shop, guests and employee are placed in same flat one vlan.
In such cases, administrator would like to block guest clients from talking to each other and to the wired users/resources exists in the same vlan.
Environment : This article applies to Aruba Instant Access Point running any version of Aruba InstantOS.
Network Topology: Wireless Guests, Wired Clients, Wired Servers, all are in same flat VLAN.
To disable communication only among guest users, enable "Deny inter user bridging" in the Instant AP system settings. Following figure shows the option enabled in system settings:
1. Login to web interface of Virtual Controller(VC) of the Instant Cluster
2. From the main menu, click on Settings
3. Click "show advance options"
But, if you want to disable communication between guest users and also to wired clients of the same vlan, then just adding a deny ACL in the guest role would do.
1. Edit the Guest SSID, or while creating new Guest SSID, get on to Security section
2. Select "Role based" and add a deny ACL to the network.
NOTE: Ensure that deny ACL is in the position one. Similarly, you can add ACLs for other subnets to which you do not want guest users to access.