04-03-2018 02:14 AM - edited 03-21-2019 10:50 AM
Hello everybody,
my problem is that I want to isolate the Guest Clients in my network.
Here is my Setup:
1 x Cisco SG300-52p Switch
3 x Cisco WAP371
3 Vlans to separate and route the traffic correctly.
Up until now I accomplished with ACLs on the switch, that the guest clients cannot see other devices on the other VLANs except the router for the internet of course. Now I want to expand this isolation, so that the guest clients cannot see other clients inside the guest network.
So the current situation is, when Client A and B connect to the Guest Network they can see each other. This should not be the case.
I hope that this is possible to achieve.
Thanks in advance.
EDIT:
Is the keyword here Channel Isolation? I will try that and get back with some feedback.
Solved! Go to Solution.
04-03-2018 04:25 AM
04-03-2018 08:47 AM
Hi,
I think Channel Isolation should allow you to do exactly what you are after. Here is a description of the feature taken from the Admin guide:
Channel Isolation
—Enables and disables station isolation.
- When disabled, wireless clients can communicate with one another normally by sending traffic through the WAP device.
- When enabled, the WAP device blocks communication between wireless clients on the same VAP. The WAP device still allows data traffic between its wireless clients and wired devices on the network, across a WDS link, and with other wireless clients associated with a different VAP, but not among wireless clients.
NOTE Channel isolation is applicable to the clients connected to the same VAP of a single AP, but not to the clients connected to the same VAP of different APs. So the clients connected to same VAP of a single AP fail to ping each other and the clients connected to same VAP of different APs can ping each other successfully
04-03-2018 04:25 AM
04-03-2018 08:47 AM
Hi,
I think Channel Isolation should allow you to do exactly what you are after. Here is a description of the feature taken from the Admin guide:
Channel Isolation
—Enables and disables station isolation.
- When disabled, wireless clients can communicate with one another normally by sending traffic through the WAP device.
- When enabled, the WAP device blocks communication between wireless clients on the same VAP. The WAP device still allows data traffic between its wireless clients and wired devices on the network, across a WDS link, and with other wireless clients associated with a different VAP, but not among wireless clients.
NOTE Channel isolation is applicable to the clients connected to the same VAP of a single AP, but not to the clients connected to the same VAP of different APs. So the clients connected to same VAP of a single AP fail to ping each other and the clients connected to same VAP of different APs can ping each other successfully
04-03-2018 08:50 AM
Thank you for your answer.
I think I will stick with channel isolation for the next time. This is currently the best setup I could get with my hardware.
04-03-2018 08:55 AM
Thank you for your advice. I cannot connect to the AP's through the CLI. There is only the web interface.
As you suspected my AP's run without a controller with the single point setup. So there aren't any options like "bridge group", PSPF or Peer to Peer blocking mode.
Do you have any recommendations or suggestions which WLC is suitable for me? Max number of connected devices are something around 80-150 with three AP's.
Thanks in advance
04-03-2018 11:43 PM
Hi GuiseMR,
I won't be able to advise you on a suitable WLC, however, I just wanted to mention that the WAP series are not compatible with a WLC so you will need to upgrade to Aironet APs as well.
Thanks,
Kris
04-04-2018 02:02 AM
Thank you for you help. I will stay with my current solution.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide