Wireless Access

I'm trying to keep clients in the same vlan, role, and ssid from seeing/talking to each other. The wlan is 802.1x authenticated.

I turned on "Deny inter user traffic" in both global settings (Services | Firewall) and wlan (System | Profiles | VAP). From my device (Laptop), I can ping about 1/2 of the devices. 

Running Mobility Conductor 8.10.07 LSR, with two 7210 controllers.

Do I need to turn on "Deny inter traffic Bridging"? If so, will this affect other wlans that I have defined and using? Some of the other wlans, I don't want client isolation.

I'm also confused, in that quite a bit of the documentation I'm reading says the "deny inter user traffic" will block untrusted clients. (see https://support.hpe.com/hpesc/public/docDisplay?docId=sf000094138en_us

 as one example. Does that mean it won't work with trusted clients (whatever they are)? 

Thanks for any help you can provide.

The option "deny-inter-user-traffic" is not cluster aware and will only block IPv4 unicast packets when targeted at another client using the same controller as their user designated gateway.

https://www.arubanetworks.com/techdocs/ArubaOS_8.11.0_Web_Help/Content/arubaos-solutions/virtual-ap/conf-vap-prof.htm

When running a cluster the "deny-inter-user-bridging" command does a better job of providing client isolation, but will apply to all clients on the controller since the configuration is done at the firewall rather than VAP level.  Applies to both IPv4 and IPv6, unicast and multicast.

https://www.arubanetworks.com/techdocs/ArubaOS_8.11.0_Web_Help/Content/arubaos-solutions/cluster/clus-over.htm

I'm trying to keep clients in the same vlan, role, and ssid from seeing/talking to each other. The wlan is 802.1x authenticated.

I turned on "Deny inter user traffic" in both global settings (Services | Firewall) and wlan (System | Profiles | VAP). From my device (Laptop), I can ping about 1/2 of the devices. 

Running Mobility Conductor 8.10.07 LSR, with two 7210 controllers.

Do I need to turn on "Deny inter traffic Bridging"? If so, will this affect other wlans that I have defined and using? Some of the other wlans, I don't want client isolation.

I'm also confused, in that quite a bit of the documentation I'm reading says the "deny inter user traffic" will block untrusted clients. (see https://support.hpe.com/hpesc/public/docDisplay?docId=sf000094138en_us

 as one example. Does that mean it won't work with trusted clients (whatever they are)? 

Thanks for any help you can provide.

Given that I can't do deny inter user bridging because of its global reach, can I put in a rule on the policy/role for this wlan, a deny rule with the source and destination both being this vlan? This shouldn't block DHCP, DNS, and other traffic to/from other vlans/subnets, but would block inter-client traffic, I think. Or is there another way to accomplish this? Thanks.

The option "deny-inter-user-traffic" is not cluster aware and will only block IPv4 unicast packets when targeted at another client using the same controller as their user designated gateway.

https://www.arubanetworks.com/techdocs/ArubaOS_8.11.0_Web_Help/Content/arubaos-solutions/virtual-ap/conf-vap-prof.htm

When running a cluster the "deny-inter-user-bridging" command does a better job of providing client isolation, but will apply to all clients on the controller since the configuration is done at the firewall rather than VAP level.  Applies to both IPv4 and IPv6, unicast and multicast.

https://www.arubanetworks.com/techdocs/ArubaOS_8.11.0_Web_Help/Content/arubaos-solutions/cluster/clus-over.htm

I'm trying to keep clients in the same vlan, role, and ssid from seeing/talking to each other. The wlan is 802.1x authenticated.

I turned on "Deny inter user traffic" in both global settings (Services | Firewall) and wlan (System | Profiles | VAP). From my device (Laptop), I can ping about 1/2 of the devices. 

Running Mobility Conductor 8.10.07 LSR, with two 7210 controllers.

Do I need to turn on "Deny inter traffic Bridging"? If so, will this affect other wlans that I have defined and using? Some of the other wlans, I don't want client isolation.

I'm also confused, in that quite a bit of the documentation I'm reading says the "deny inter user traffic" will block untrusted clients. (see https://support.hpe.com/hpesc/public/docDisplay?docId=sf000094138en_us

 as one example. Does that mean it won't work with trusted clients (whatever they are)? 

Thanks for any help you can provide.

Given that I can't do deny inter user bridging because of its global reach, can I put in a rule on the policy/role for this wlan, a deny rule with the source and destination both being this vlan? This shouldn't block DHCP, DNS, and other traffic to/from other vlans/subnets, but would block inter-client traffic, I think. Or is there another way to accomplish this? Thanks.

The option "deny-inter-user-traffic" is not cluster aware and will only block IPv4 unicast packets when targeted at another client using the same controller as their user designated gateway.

https://www.arubanetworks.com/techdocs/ArubaOS_8.11.0_Web_Help/Content/arubaos-solutions/virtual-ap/conf-vap-prof.htm

When running a cluster the "deny-inter-user-bridging" command does a better job of providing client isolation, but will apply to all clients on the controller since the configuration is done at the firewall rather than VAP level.  Applies to both IPv4 and IPv6, unicast and multicast.

https://www.arubanetworks.com/techdocs/ArubaOS_8.11.0_Web_Help/Content/arubaos-solutions/cluster/clus-over.htm

I'm trying to keep clients in the same vlan, role, and ssid from seeing/talking to each other. The wlan is 802.1x authenticated.

I turned on "Deny inter user traffic" in both global settings (Services | Firewall) and wlan (System | Profiles | VAP). From my device (Laptop), I can ping about 1/2 of the devices. 

Running Mobility Conductor 8.10.07 LSR, with two 7210 controllers.

Do I need to turn on "Deny inter traffic Bridging"? If so, will this affect other wlans that I have defined and using? Some of the other wlans, I don't want client isolation.

I'm also confused, in that quite a bit of the documentation I'm reading says the "deny inter user traffic" will block untrusted clients. (see https://support.hpe.com/hpesc/public/docDisplay?docId=sf000094138en_us

 as one example. Does that mean it won't work with trusted clients (whatever they are)? 

Thanks for any help you can provide.

As soon as user traffic leaves the controller (in tunneled mode) or the access point (in bridge mode), the AOS no longer knows where the traffic is coming from. This is why "Deny inter user traffic" only works as long as both wifi clients are connected to the same AP or controller.

You need PEF licenses. Then you can create your own Aruba user roles. You can use L3-based ACLs in the role and thus control the traffic.

Given that I can't do deny inter user bridging because of its global reach, can I put in a rule on the policy/role for this wlan, a deny rule with the source and destination both being this vlan? This shouldn't block DHCP, DNS, and other traffic to/from other vlans/subnets, but would block inter-client traffic, I think. Or is there another way to accomplish this? Thanks.

The option "deny-inter-user-traffic" is not cluster aware and will only block IPv4 unicast packets when targeted at another client using the same controller as their user designated gateway.

https://www.arubanetworks.com/techdocs/ArubaOS_8.11.0_Web_Help/Content/arubaos-solutions/virtual-ap/conf-vap-prof.htm

When running a cluster the "deny-inter-user-bridging" command does a better job of providing client isolation, but will apply to all clients on the controller since the configuration is done at the firewall rather than VAP level.  Applies to both IPv4 and IPv6, unicast and multicast.

https://www.arubanetworks.com/techdocs/ArubaOS_8.11.0_Web_Help/Content/arubaos-solutions/cluster/clus-over.htm

I'm trying to keep clients in the same vlan, role, and ssid from seeing/talking to each other. The wlan is 802.1x authenticated.

I turned on "Deny inter user traffic" in both global settings (Services | Firewall) and wlan (System | Profiles | VAP). From my device (Laptop), I can ping about 1/2 of the devices. 

Running Mobility Conductor 8.10.07 LSR, with two 7210 controllers.

Do I need to turn on "Deny inter traffic Bridging"? If so, will this affect other wlans that I have defined and using? Some of the other wlans, I don't want client isolation.

I'm also confused, in that quite a bit of the documentation I'm reading says the "deny inter user traffic" will block untrusted clients. (see https://support.hpe.com/hpesc/public/docDisplay?docId=sf000094138en_us

 as one example. Does that mean it won't work with trusted clients (whatever they are)? 

Thanks for any help you can provide.