Big Temporary Networks

William Herrin bill at
Mon Sep 24 00:44:10 UTC 2012

On Sun, Sep 23, 2012 at 3:50 PM, JÁKÓ András <jako.andras at> wrote:
>> Second, in the hotspot scenarios where this is likely to be a problem
>> (in IPv4 -or- IPv6) it's addressed by the "AP isolation" feature
>> that's getting close to omnipresent even in the low end APs. With this
>> feature enabled, stations are not allowed to talk to each other over
>> the wlan; they can only talk to hosts on the wired side of the lan.
> Not related to the original subject, neither to IPv6 usability on WLANs,
> just a small comment: As far as I understand "AP isolation" doesn't work
> if you don't have a WLAN controller but do have more than one APs. E.g. in
> the following setup
> ap1--sw1--sw2--ap2
> with "AP isolation" turned on, clients associated to ap1 cannot
> communicate directly with other clients associated to ap1, however they
> can communicate directly with those associated to ap2. Broadcast from
> ap1's clients does also get to all clients at ap2.

Hi András,

This is one place where Cisco's "switchport protected" comes in handy.
Plug both APs into switches where the port is set to protected mode
and neither they nor the associated clients will be able to talk to
each other.

You can get the same effect with other brands. For example, in one
on-the-cheap 5-AP hotspot I did, I vlaned the APs (using an older
802.1q capable switch) back to a Linux bridge with "ebtables --insert
FORWARD --jump DROP". The Linux bridge was also the default router out
of the wlan, so anything *to* the router worked but anything that
would be forwarded was dropped instead. Works great.

Bill Herrin

William D. Herrin ................ herrin at  bill at
3005 Crane Dr. ...................... Web: <>
Falls Church, VA 22042-3004

More information about the NANOG mailing list