Wired Intelligent Edge (Campus Switching and Routing)

 View Only
last person joined: one year ago 

Bring performance and reliability to your network with the HPE Aruba Networking Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of HPE Aruba Networking switching devices, and find ways to improve security across your network.
Back to Library

How to configure Deny Inter-User Traffic on Mobility Access Switch 

Apr 07, 2015 05:01 PM

Starting from ArubaOS 7.4, Mobility Access Switch provides support for Deny Inter-user Traffic. Deny Inter-user Traffic feature enables Mobility Access Switches to block the communication between users with the same role. For example, an organization can block communication between any two guest users. If the role has voip-profile configured, then the traffic across the VoIP users is also denied.

 

  • The inter-user traffic denial happens only within an ArubaStack and does not span across multiple Mobility Access Switches or ArubaStack.
  • By default this feature is disabled.
  • We can configure Deny Inter-user Traffic for a maximum of seven user-roles \(including CPPM downloaded roles) on a per user-role basis.

Limitations:
 

  • The traffic originated from a user with a role that has Deny Inter-user Traffic enabled, is denied even to the users with different roles, if they are connected to the same port and VLAN of the user to which the traffic must be denied.
  • L3 multicast traffic originated from users cannot be denied across users when the users are in different VLANs and same role.
  • Where there are two users in same role and different VLAN and if session processing or NAT is enabled on the RVI, then the inter-user-traffic is not dropped.

Environment : If we want to block the communication between users with the same role.

 

Configuring Deny Inter-User Traffic:

You can configure this feature using the following CLI command:

(host) (config) #user-role <role-name>
(host) (config-role) #deny-inter-user-traffic

 

Sample Configuration:

(host) (config) #user-role Guest
(host) (config-role) #deny-inter-user-traffic

 

Verifying Deny Inter-User Traffic Configuration:

Use the following command to view the list of user roles on which deny inter-user traffic is enabled:

(host) #show aaa deny-inter-user-traffic roles
Maximum number of user roles supported: 7
Enabled on user roles:
----------------------
Role3
Guest

Use the following command to view the details of the interfaces on which the role is applied and traffic is denied:

(host) #show user-table role guest
Users
-----
IP MAC Name Role Age(d:h:m) Auth Connection
--- ----- ----- ---- ---------- ---- ----------
192.0.2.11 04:7d:7b:1e:d1:bf test-user1 Guest 00:02:18 802.1x-Wired Wire
d 192.0.2.10 00:25:45:93:bf:d8 test-user2 Guest 00:02:18 802.1x-Wired Wire
d Interface Profile Vlan
--------- ------- ----
3/0/44 dot1x 1 (3911)
3/0/44 dot1x 1 (3913)
User Entries: 2/2
ArubaOS

Statistics
0 Favorited
2 Views
0 Files
0 Shares
0 Downloads

Related Entries and Links

No Related Resource entered.