Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1593
Views
5
Helpful
6
Replies

Configuring a Guest Wireless Network correctly!

Go to solution
GiuseMR
Level 1
Level 1

‎04-03-2018 02:14 AM - edited ‎03-21-2019 10:50 AM

Hello everybody, 

 

my problem is that I want to isolate the Guest Clients in my network. 

Here is my Setup: 

1 x Cisco SG300-52p Switch

3 x Cisco WAP371

3 Vlans to separate and route the traffic correctly. 

 

Up until now I accomplished with ACLs on the switch, that the guest clients cannot see other devices on the other VLANs except the router for the internet of course. Now I want to expand this isolation, so that the guest clients cannot see other clients inside the guest network. 

 

So the current situation is, when Client A and B connect to the Guest Network they can see each other. This should not be the case. 

 

I hope that this is possible to achieve. 

 

Thanks in advance. 

 

EDIT: 

Is the keyword here Channel Isolation? I will try that and get back with some feedback.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
konstantinoschiotakis
Level 1
Level 1

‎04-03-2018 04:25 AM

Hi GiuseMR,

For Autonomous mode there is the Public Secure Packet Forwarding (PSPF) option to isolate clients (use of bridge groups). For WLC architecture there is the peer to peer blocking mode available on the WLC.
The single point setup is controller-less technology with fewer features. I couldn't find any option on the web gui for what you want to do (tried the online demo version). You might have better chances of connecting to the AP's CLI and trying to see if bridge group configuration is available?

Just a thought.

Cheers,

View solution in original post

0 Helpful

Go to solution
ktonev
Cisco Employee
Cisco Employee
In response to konstantinoschiotakis

‎04-03-2018 08:47 AM

Hi,

I think Channel Isolation should allow you to do exactly what you are after. Here is a description of the feature taken from the Admin guide:

Channel Isolation

—Enables and disables station isolation.

- When disabled, wireless clients can communicate with one another normally by sending traffic through the WAP device.

- When enabled, the WAP device blocks communication between wireless clients on the same VAP. The WAP device still allows data traffic between its wireless clients and wired devices on the network, across a WDS link, and with other wireless clients associated with a different VAP, but not among wireless clients.

NOTE Channel isolation is applicable to the clients connected to the same VAP of a single AP, but not to the clients connected to the same VAP of different APs. So the clients connected to same VAP of a single AP fail to ping each other and the clients connected to same VAP of different APs can ping each other successfully

View solution in original post

0 Helpful
6 Replies 6

Go to solution
konstantinoschiotakis
Level 1
Level 1

‎04-03-2018 04:25 AM

Hi GiuseMR,

For Autonomous mode there is the Public Secure Packet Forwarding (PSPF) option to isolate clients (use of bridge groups). For WLC architecture there is the peer to peer blocking mode available on the WLC.
The single point setup is controller-less technology with fewer features. I couldn't find any option on the web gui for what you want to do (tried the online demo version). You might have better chances of connecting to the AP's CLI and trying to see if bridge group configuration is available?

Just a thought.

Cheers,
0 Helpful

Go to solution
ktonev
Cisco Employee
Cisco Employee
In response to konstantinoschiotakis

‎04-03-2018 08:47 AM

Hi,

I think Channel Isolation should allow you to do exactly what you are after. Here is a description of the feature taken from the Admin guide:

Channel Isolation

—Enables and disables station isolation.

- When disabled, wireless clients can communicate with one another normally by sending traffic through the WAP device.

- When enabled, the WAP device blocks communication between wireless clients on the same VAP. The WAP device still allows data traffic between its wireless clients and wired devices on the network, across a WDS link, and with other wireless clients associated with a different VAP, but not among wireless clients.

NOTE Channel isolation is applicable to the clients connected to the same VAP of a single AP, but not to the clients connected to the same VAP of different APs. So the clients connected to same VAP of a single AP fail to ping each other and the clients connected to same VAP of different APs can ping each other successfully

0 Helpful

Go to solution
GiuseMR
Level 1
Level 1
In response to ktonev

‎04-03-2018 08:50 AM

Thank you for your answer. 

I think I will stick with channel isolation for the next time. This is currently the best setup I could get with my hardware.

0 Helpful

Go to solution
GiuseMR
Level 1
Level 1
In response to konstantinoschiotakis

‎04-03-2018 08:55 AM

Thank you for your advice. I cannot connect to the AP's through the CLI. There is only the web interface. 

As you suspected my AP's run without a controller with the single point setup. So there aren't any options like "bridge group", PSPF or Peer to Peer blocking mode. 

 

Do you have any recommendations or suggestions which WLC is suitable for me? Max number of connected devices are something around 80-150 with three AP's. 

 

Thanks in advance 

0 Helpful

Go to solution
ktonev
Cisco Employee
Cisco Employee
In response to GiuseMR

‎04-03-2018 11:43 PM

Hi GuiseMR,

I won't be able to advise you on a suitable WLC, however, I just wanted to mention that the WAP series are not compatible with a WLC so you will need to upgrade to Aironet APs as well.

Thanks,

Kris

Go to solution
GiuseMR
Level 1
Level 1
In response to ktonev

‎04-04-2018 02:02 AM

Thank you for you help. I will stay with my current solution.

0 Helpful
Customers Also Viewed These Support Documents