What is the expected behavior for ARP traffic sent from H1?

In this scenario:

All hosts are in VLAN 100

Group-Based Policy (GBP) is applied

H1 belongs to the Marketing role

Policy table for Marketing:

Source

Destination

Action

Marketing

HR

Deny

Marketing

Sales

Permit

Marketing

Finance

Deny

Role Mapping:

Sales: H2, H4

Finance: H3, H5

HR: H6

???? Key Aruba GBP Behavior for ARP

Aruba AOS-CX GBP enforces policy at L3 and L2, and ARP is not treated as unconditional broadcast when GBP roles restrict communication.

Aruba documentation states:

“ARP requests are only forwarded to ports associated with permitted roles.

ARP behavior follows the GBP access-policy rules.”

Since Marketing is only permitted to communicate with Sales, ARP from H1 must only be forwarded toward:

✅ H2 (Sales)

✅ H4 (Sales)

Interfaces:

H2 → port 1/1/1

H4 → port 1/1/3

Therefore, the ARP request is NOT flooded to Finance (H3/H5) or HR (H6), where communication is denied.

❌ Why Other Options Are Incorrect

Option

Why Wrong

B

Would ignore GBP enforcement; too wide of a flood

C

Not dropped — allowed paths exist to Sales

D

ARP is not broadcasted when GBP denies connectivity