Wired Intelligent Edge (Campus Switching and Routing)

How to configure Deny Inter-User Traffic on Mobility Access Switch

Aruba Employee
Aruba Employee

Starting from ArubaOS 7.4, Mobility Access Switch provides support for Deny Inter-user Traffic. Deny Inter-user Traffic feature enables Mobility Access Switches to block the communication between users with the same role. For example, an organization can block communication between any two guest users. If the role has voip-profile configured, then the traffic across the VoIP users is also denied.


  • The inter-user traffic denial happens only within an ArubaStack and does not span across multiple Mobility Access Switches or ArubaStack.
  • By default this feature is disabled.
  • We can configure Deny Inter-user Traffic for a maximum of seven user-roles \(including CPPM downloaded roles) on a per user-role basis.


  • The traffic originated from a user with a role that has Deny Inter-user Traffic enabled, is denied even to the users with different roles, if they are connected to the same port and VLAN of the user to which the traffic must be denied.
  • L3 multicast traffic originated from users cannot be denied across users when the users are in different VLANs and same role.
  • Where there are two users in same role and different VLAN and if session processing or NAT is enabled on the RVI, then the inter-user-traffic is not dropped.

Environment : If we want to block the communication between users with the same role.


Configuring Deny Inter-User Traffic:

You can configure this feature using the following CLI command:

(host) (config) #user-role <role-name>
(host) (config-role) #deny-inter-user-traffic


Sample Configuration:

(host) (config) #user-role Guest
(host) (config-role) #deny-inter-user-traffic


Verifying Deny Inter-User Traffic Configuration:

Use the following command to view the list of user roles on which deny inter-user traffic is enabled:

(host) #show aaa deny-inter-user-traffic roles
Maximum number of user roles supported: 7
Enabled on user roles:

Use the following command to view the details of the interfaces on which the role is applied and traffic is denied:

(host) #show user-table role guest
IP MAC Name Role Age(d:h:m) Auth Connection
--- ----- ----- ---- ---------- ---- ---------- 04:7d:7b:1e:d1:bf test-user1 Guest 00:02:18 802.1x-Wired Wire
d 00:25:45:93:bf:d8 test-user2 Guest 00:02:18 802.1x-Wired Wire
d Interface Profile Vlan
--------- ------- ----
3/0/44 dot1x 1 (3911)
3/0/44 dot1x 1 (3913)
User Entries: 2/2

Version history
Revision #:
1 of 1
Last update:
‎04-07-2015 02:01 PM
Updated by:
Labels (1)
Search Airheads
Showing results for 
Search instead for 
Did you mean: