Big Temporary Networks

JÁKÓ András jako.andras at
Mon Sep 24 07:04:07 UTC 2012

> > just a small comment: As far as I understand "AP isolation" doesn't work
> > if you don't have a WLAN controller but do have more than one APs. E.g. in
> > the following setup
> >
> > ap1--sw1--sw2--ap2
> >
> > with "AP isolation" turned on, clients associated to ap1 cannot
> > communicate directly with other clients associated to ap1, however they
> > can communicate directly with those associated to ap2. Broadcast from
> > ap1's clients does also get to all clients at ap2.
> Hi András,
> This is one place where Cisco's "switchport protected" comes in handy.

Yes, but only as long as all APs are connected to the same switch, as I 
understand. (That's why I put two switches in the example above.)

> You can get the same effect with other brands. For example, in one
> on-the-cheap 5-AP hotspot I did, I vlaned the APs (using an older
> 802.1q capable switch) back to a Linux bridge with "ebtables --insert
> FORWARD --jump DROP". The Linux bridge was also the default router out
> of the wlan, so anything *to* the router worked but anything that
> would be forwarded was dropped instead. Works great.

Nice, that should do the trick with multiple switches too.


More information about the NANOG mailing list