Security

Disable Client to Client on guest network???

Running Aruba Instant with 6.x latest update as of 2/22/2012

Have an Employee Network working fine

Have a Guest Network using Guest DMZ using built in DHCP, which properly segregates guest from employee network

 My problem is I can find a way to stop guest clients from communicating with other guest clients

I really don’t want guest to be able to port scan other guest

Most other AP’s I have worked with have a option to block client to client traffic on a given SID

Any suggestions?

Thanks

How about adding an ACL in the guest role: "user user any deny" (src dst svc action)?

user-> any user in the controller's user table

This ACL will not let two users talk to each other.

that may work with a controller, but i'm running Instant

no option for Deny Any User User

i only have {Allow:Deny} | {Service} | {to All:to a server:except a server:to a network: except a network}

I dont want to list out each possible guest IP as a server, it would work but a lot of enteries

---

@mjob81 wrote:

that may work with a controller, but i'm running Instant

 

no option for Deny Any User User

 

i only have {Allow:Deny} | {Service} | {to All:to a server:except a server:to a network: except a network}

 

I dont want to list out each possible guest IP as a server, it would work but a lot of enteries

 

---

mjob81, 

One way of achieving this is as follows: 

Create Network based access rules for the guest network 

Example:

Guest network - 192.168.1.0/24 

Gateway: 192.168.1.1 

RULES:

1.  allow any on server 192.168.1.1

2. allow any on server <to any other server you want users to be able to access>

3. deny any to network 192.168.1.0/24

4. allow any to all destination 

This would prevent inter-user traffic on the guest network. 

NOTE: the above rules will not allow external sources to initiate session with the guest network clients. 

Hope it helps ! 

YES that works

In instant you cannot use xxx.xxx.xxx.0/x

you need to use xxx.xxx.xxx.0 and 255.xxx.xxx.xxx in the subnet

Hi Guys,

I'm new with Aruba Controllers, My WAC series is 7220 with SW version: 6.4.3.4

I need to do the Wireless Client isolation on my network so that the only thing each user can see is the DHCP server only.

I did activate the option "Deny inter user traffic" on each SSID i have but still I can see other devices when using "fing" SW.

Please I need help.

Clients will always have access to ARP, which is what fing does.  If you have an ACL that says that those clients cannot communicate, they will be blocked from doing anything to each other.  This of course breaks down on an Open SSID where there is no encryption and clients can directly contact each other.  Real protection should not be expected on an Open SSID.

I agree with u, so how can i do this using policies

Can you please give me an example (as i told you before, I'm new with Aruba).