Hi Danny,
Far as i known deny-inter-user-traffic works only within the same controller. When leaving the controller your client is visible at layer-2 on the Ethernet switch and the controller is out-of-control. Thats why you see incoming ethernet packages from the second controller and/or other wired clients in the same vlan.
Maybe you can try client isolation on your switch backend but personally never tried that.
Mostly i solved this only at layer-3 in the user-role where i put a "user destination rfc1918-nets deny". So a user cannot have a private lan IP address as destination (when you want internet-only offcourse).
------------------------------
Marcel Koedijk | MVP Expert 2022 | ACEP | ACMP | ACCP | ACDP | Ekahau ECSE | Not an HPE Employee | Opinions are my own
------------------------------
Original Message:
Sent: Dec 07, 2022 05:42 AM
From: Danny Bosman
Subject: AOS8 - deny inter user traffic within clustered MD
We are running AOS8.6. 2 MD per cluster; clients & AP are nicely balanced between both the MD;
We have a guest network where we set on virtual AP level : deny-inter-user-traffic
This works fine for active clients connected to the same MD. However, when a client performs a network scan, it detects clients who are anchored to the other MD. It is possible to ping to a client on the other MD, while ping-ing to clients on the same MD is not.
A port scan also discovers open/blocked/closed ports on other clients (on the other MD), so this opens security risk
Setting a user-role that only allows traffic to the default gw on that network does not solve the issue.
It looks like the concept of "deny-inter-user-traffic" is not valid in a clustered MD setup.
Is there any other security measure we can take?
------------------------------
Danny Bosman
KBC Group - Belgium
------------------------------