Wireless Access

OK so need help with something - here is my scenario

We do not want clients on the same network talking to each other.

On the VAP profile for our Corp & Guest network I have enabled "Deny inter user traffic"

On our corporate network we require peer to peer windows updates (WUDO) - deny inter user traffic broke this.  As a workaround I turned off "deny inter user traffic"

Next I added custom rules on the user role to say:

any user going to the corp subnet on the default gateway permit

any user going to the corp subnet on windows update ports tcp/udp 7680 permit

any user going to corp subnet deny

So this allowed windows update to work, this also stopped users from communicating with each other on the corp network - but in turn this has stopped our external MS Teams (VoIP) calls from functioning.

My question is what is the ACL deny doing different than the "deny inter user traffic' check box - need to come up with a solution but stuck at present.

Thanks

Are the users who receive the windows updates (WUDO) in the same user-role or a different user-roles (like employee, finance etc)?

What do these updates need ? (L3 + L2 connectivity / only L2 connectivity)

Refer the AOS 8.5 CLI Reference guide (Page 2643) for more information on the " Deny inter-user traffic " Knob in the VAP profile.

There is a global setting on the firewall that denies L2 traffic between clients as well. 

In the output of " show firewall " what is the state of " deny inter user bridging " when the knob is enabled ?

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.
--Problem Solved? Click "Accepted Solution" in a post.