Hello there, did we ever got an answer on this? Still wondering if private vlan is the way to go or perhaps protected ports, which may not bring scalability in a large wireless network.
I too would like to know if a best practice has ever been discovered for this.
I have a site that has 550 APs with 4 x 5508 so I have use multiple controllers at this site.
Thanks in advance.
We're still using acls on the dynamic interfaces, not nice but it's working fine in our environment (6 wlc).
Very good, can you provide some sample ACL lines so we can see how that would look?
In my case the controllers are connected via Layer2 and I'm not sure the L2 traffic of a client on Controller1 would hit the SVI before being switched to a given client on Controller2.
config example on wlc44xx:
wlan client net: 10.1.1.0 /24, default gateway 10.1.1.10 (dedicated router in our case)
1. 10.1.1.0 /24 -> 10.1.1.10: Permit
2. 10.1.1.10 -> 10.1.1.0 /24: Permit
3. 10.1.1.0 /24 -> 10.1.1.0 /24: Deny
4. 10.1.1.0 /24 -> 0.0.0.0 /0: Permit
5. 0.0.0.0 /0 -> 10.1.1.0 /24: Permit
in short words: Allow Traffic to/from default gateway + deny traffic inside the net + allow traffic to/from rest