cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2001
Views
5
Helpful
6
Replies

Configuring a Guest Wireless Network correctly!

GiuseMR
Level 1
Level 1

Hello everybody, 

 

my problem is that I want to isolate the Guest Clients in my network. 

Here is my Setup: 

1 x Cisco SG300-52p Switch

3 x Cisco WAP371

3 Vlans to separate and route the traffic correctly. 

 

Up until now I accomplished with ACLs on the switch, that the guest clients cannot see other devices on the other VLANs except the router for the internet of course. Now I want to expand this isolation, so that the guest clients cannot see other clients inside the guest network. 

 

So the current situation is, when Client A and B connect to the Guest Network they can see each other. This should not be the case. 

 

I hope that this is possible to achieve. 

 

Thanks in advance. 

 

EDIT: 

Is the keyword here Channel Isolation? I will try that and get back with some feedback.

2 Accepted Solutions

Accepted Solutions

Hi GiuseMR,

For Autonomous mode there is the Public Secure Packet Forwarding (PSPF) option to isolate clients (use of bridge groups). For WLC architecture there is the peer to peer blocking mode available on the WLC.
The single point setup is controller-less technology with fewer features. I couldn't find any option on the web gui for what you want to do (tried the online demo version). You might have better chances of connecting to the AP's CLI and trying to see if bridge group configuration is available?

Just a thought.

Cheers,

View solution in original post

Hi,

I think Channel Isolation should allow you to do exactly what you are after. Here is a description of the feature taken from the Admin guide:

Channel Isolation

—Enables and disables station isolation.

- When disabled, wireless clients can communicate with one another normally by sending traffic through the WAP device.

- When enabled, the WAP device blocks communication between wireless clients on the same VAP. The WAP device still allows data traffic between its wireless clients and wired devices on the network, across a WDS link, and with other wireless clients associated with a different VAP, but not among wireless clients.

NOTE Channel isolation is applicable to the clients connected to the same VAP of a single AP, but not to the clients connected to the same VAP of different APs. So the clients connected to same VAP of a single AP fail to ping each other and the clients connected to same VAP of different APs can ping each other successfully

View solution in original post

6 Replies 6

Hi GiuseMR,

For Autonomous mode there is the Public Secure Packet Forwarding (PSPF) option to isolate clients (use of bridge groups). For WLC architecture there is the peer to peer blocking mode available on the WLC.
The single point setup is controller-less technology with fewer features. I couldn't find any option on the web gui for what you want to do (tried the online demo version). You might have better chances of connecting to the AP's CLI and trying to see if bridge group configuration is available?

Just a thought.

Cheers,

Hi,

I think Channel Isolation should allow you to do exactly what you are after. Here is a description of the feature taken from the Admin guide:

Channel Isolation

—Enables and disables station isolation.

- When disabled, wireless clients can communicate with one another normally by sending traffic through the WAP device.

- When enabled, the WAP device blocks communication between wireless clients on the same VAP. The WAP device still allows data traffic between its wireless clients and wired devices on the network, across a WDS link, and with other wireless clients associated with a different VAP, but not among wireless clients.

NOTE Channel isolation is applicable to the clients connected to the same VAP of a single AP, but not to the clients connected to the same VAP of different APs. So the clients connected to same VAP of a single AP fail to ping each other and the clients connected to same VAP of different APs can ping each other successfully

Thank you for your answer. 

I think I will stick with channel isolation for the next time. This is currently the best setup I could get with my hardware.

Thank you for your advice. I cannot connect to the AP's through the CLI. There is only the web interface. 

As you suspected my AP's run without a controller with the single point setup. So there aren't any options like "bridge group", PSPF or Peer to Peer blocking mode. 

 

Do you have any recommendations or suggestions which WLC is suitable for me? Max number of connected devices are something around 80-150 with three AP's. 

 

Thanks in advance 

Hi GuiseMR,

I won't be able to advise you on a suitable WLC, however, I just wanted to mention that the WAP series are not compatible with a WLC so you will need to upgrade to Aironet APs as well.

Thanks,

Kris

Thank you for you help. I will stay with my current solution.