Wireless Access

Contributor I

Deny inter user traffic per role?

Is there a user-role specific way to accomplish this same level of blocking?

What I am trying to accomplish is this:


I have an Open Guest network that returns the role guest.
I would like to put another set of devices that cannot user 802.1x on the guest network, but the devices need to be able to communicate with eachother. 

Right now I have deny inter user traffic enabled on the VAP. My thought is I need to remove that option, and move it to the guest user role. 

The only solution I've come up with is an ACL, which is not ideal since I can't do an ACL that says user user any deny, since it wants source/destination to be different. So I would need to create ACLs specific to sites.

Contributor II

Re: Deny inter user traffic per role?

You maybe make a acl like...

Src: User
Dest: /
Dest: /
Dest: /

Or create a guest ssid with deny inter user traffic and a second ssid “contractor” where you allow that.
Contributor II

RE: Deny inter user traffic per role?

I think that you should limit traffic to the role you are assigned to using the bandwidth option in your role.

Re: Deny inter user traffic per role?

Hi Eugene,


Won't the following acl's help ?


any <gateway ip> any permit

any <guest network> any deny

any any any permit

Contributor I

Re: Deny inter user traffic per role?

Yes this would work, and is what I meant by ACL specific to sites. 


I was hoping there was an option I missed that was an easy checkmark in the user-role!


Search Airheads
Showing results for 
Search instead for 
Did you mean: