Big Temporary Networks
jako.andras at eik.bme.hu
Mon Sep 24 07:04:07 UTC 2012
> > just a small comment: As far as I understand "AP isolation" doesn't work
> > if you don't have a WLAN controller but do have more than one APs. E.g. in
> > the following setup
> > ap1--sw1--sw2--ap2
> > with "AP isolation" turned on, clients associated to ap1 cannot
> > communicate directly with other clients associated to ap1, however they
> > can communicate directly with those associated to ap2. Broadcast from
> > ap1's clients does also get to all clients at ap2.
> Hi András,
> This is one place where Cisco's "switchport protected" comes in handy.
Yes, but only as long as all APs are connected to the same switch, as I
understand. (That's why I put two switches in the example above.)
> You can get the same effect with other brands. For example, in one
> on-the-cheap 5-AP hotspot I did, I vlaned the APs (using an older
> 802.1q capable switch) back to a Linux bridge with "ebtables --insert
> FORWARD --jump DROP". The Linux bridge was also the default router out
> of the wlan, so anything *to* the router worked but anything that
> would be forwarded was dropped instead. Works great.
Nice, that should do the trick with multiple switches too.
More information about the NANOG