Client Isolation

The Client Isolation feature isolates clients from one another and disables all peer-to-peer communication within the network. Client isolation disables inter-client communication by allowing only client to gatewayGateway is a network node that allows traffic to flow in and out of the network. traffic from clients to flow in the network. All other traffic from the client that is not destined to the gatewayGateway is a network node that allows traffic to flow in and out of the network. or configured servers will not be forwarded by the Instant AP. This feature enhances the security of the network and protects it from vulnerabilities. Client Isolation can only be configured through the CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions..

When Client Isolation is configured, the Instant AP learns the IP, SubnetSubnet is the logical division of an IP network. Mask, MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. , and other essential information of the gatewayGateway is a network node that allows traffic to flow in and out of the network. and the DNSDomain Name System. A DNS server functions as a phone book for the intranet and Internet users. It converts human-readable computer host names into IP addresses and IP addresses into host names. It stores several records for a domain name such as an address 'A' record, name server (NS), and mail exchanger (MX) records. The Address 'A' record is the most important record that is stored in a DNS server, because it provides the required IP address for a network peripheral or element. server. A subnetSubnet is the logical division of an IP network. table of trusted destinations is then populated with this information. Wired servers used in the network should be manually configured into this subnetSubnet is the logical division of an IP network. table to serve clients. The destination MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. of data packets sent by the client is validated against this subnetSubnet is the logical division of an IP network. table and only the data packets destined to the trusted addresses in the subnetSubnet is the logical division of an IP network. table are forwarded by the Instant AP. All other data packets are dropped.

Client Isolation feature has the following limitations:

This feature is supported only in IPv4 networks.

This feature does not support AirGroup functionalities and affects Chromecast and Airplay services.

Configuring Client Isolation

To enable Client Isolation and disable all peer-to-peer communication, enable the deny-intra-vlan-traffic parameter in the respective WLANWireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. or wired profile. The following is the syntax to enable deny-intra-vlan-traffic under wlan ssid-profile and wired-port-profile command:

(Instant AP)(config) # wlan ssid-profile <profile name>

(Instant AP)(SSID Profile "<profile name>") # deny-intra-vlan-traffic

 

(Instant AP)(config) # wired-port-profile <profile name>

(Instant AP)(wired ap profile "<profile name>") # deny-intra-vlan-traffic

Aruba recommends that both Client Isolation and ARPAddress Resolution Protocol. ARP is used for mapping IP network address to the hardware MAC address of a device.  poison check should be configured for enhanced security. To configure ARPAddress Resolution Protocol. ARP is used for mapping IP network address to the hardware MAC address of a device. poison check, read In the Old WebUI.

Adding Wired Servers to the Subnet Table of Trusted Destinations

To add a wired server to the subnetSubnet is the logical division of an IP network. table as a trusted server, configure the wired server with its IP or MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address using the intra-vlan-traffic-profile command. The following is the syntax to configure wired servers to the intra-vlan-traffic-profile:

(Instant AP)(config) # intra-vlan-traffic-profile

(Instant AP)(intra-vlan-traffic) # wired-server-ip <ip>

(Instant AP)(intra-vlan-traffic) # wired-server-mac <mac>

Managing the Subnet Table of Trusted Destinations

To view the subnetSubnet is the logical division of an IP network. table of trusted destinations in the network, use the show datapath subnet command.

(Instant AP)(config)# show datapath subnet

To clear entries in the subnetSubnet is the logical division of an IP network. table of trusted destinations in the network, use the clear datapath subnet command. The following is the syntax to clear entries in the subnetSubnet is the logical division of an IP network. table:

To clear all entries in the subnetSubnet is the logical division of an IP network. table:

(Instant AP)# clear datapath subnet all

To clear entries of a specific VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN.:

(Instant AP)# clear datapath subnet vlan <id>

To clear a specific entry in a specific vlanVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN.:

(Instant AP)# clear datapath subnet vlan <id> ip <ip>

/*]]>*/