Hate to dig up an old thread... but now I'm facing a similar situation. Been searching the forums, this is the closest posting found...
Customer wants to print from a BYOD device to a WiFi printer, while continuing to deny inter-user traffic without impacting traffic to network resources/internet.
What is the ACL "equivalent" of the "Deny Inter-User Traffic" VAP setting?
Think it would be "user user any deny"... no good, controller (620 on v6.2) says, "Only one of source or destination must be 'user'"
In my mind, the following would accomplish this, but the controller doesn't allow the "user user any deny".
!
ip access-list session allowtest
user (printerip) any permit
user user any deny
any any any permit
Any suggestions would be kindly appreciated...