Solved: Re: Disable client to client communication

smolz · ‎03-28-2008

Looking for a way to setup a wireless network and have the ability to deny client to client access between hosts on the AP.

Rob Huffman · ‎03-29-2008

Hi Chris,

Just to add a note to the great info from Scott (5 points for this one Scott :) This is possible in Autonomous AP's as well;

Enabling and Disabling Public Secure Packet Forwarding

Public Secure Packet Forwarding (PSPF) prevents client devices associated to an access point from inadvertently sharing files or communicating with other client devices associated to the access point. It provides Internet access to client devices without providing other capabilities of a LAN. This feature is useful for public wireless networks like those installed in airports or on college campuses.

--------------------------------------------------------------------------------

Note To prevent communication between clients associated to different access points, you must set up protected ports on the switch to which your access points are connected. See the "Configuring Protected Ports" section for instructions on setting up protected ports.

--------------------------------------------------------------------------------

To enable and disable PSPF using CLI commands on your access point, you use bridge groups. You can find a detailed explanation of bridge groups and instructions for implementing them in this document:

â€¢Cisco IOS Bridging and IBM Networking Configuration Guide, Release 12.2. Click this link to browse to the Configuring Transparent Bridging chapter: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fibm_c/bcfpart1/bcftb.htm

You can also enable and disable PSPF using the web-browser interface. The PSPF setting is on the Radio Settings pages.

PSPF is disabled by default. Beginning in privileged EXEC mode, follow these steps to enable PSPF:

Command Purpose

Step 1

configure terminal

Enter global configuration mode.

Step 2

interface dot11radio { 0 | 1 }

Enter interface configuration mode for the radio interface. The 2.4-GHz radio is radio 0, and the 5-GHz radio is radio 1.

Step 3

bridge-group group port-protected

Enable PSPF.

Step 4

end

Return to privileged EXEC mode.

Step 5

copy running-config startup-config

(Optional) Save your entries in the configuration file.

Use the no form of the command to disable PSPF.

http://www.cisco.com/en/US/docs/wireless/access_point/12.2_15_JA/configuration/guide/s15rf.html#wp1038494

Hope this helps!

Rob

View solution in original post

Scott Fella · ‎03-29-2008

If you are running LWAP's and WLC 4.2 you can enable P2P Blocking. I don't think you can configure anything on Autonomous AP's though.

http://www.cisco.com/en/US/docs/wireless/controller/4.2/configuration/guide/c42wlan.html

-Scott
*** Please rate helpful posts ***

Rob Huffman · ‎03-29-2008

Hi Chris,

Just to add a note to the great info from Scott (5 points for this one Scott :) This is possible in Autonomous AP's as well;

Enabling and Disabling Public Secure Packet Forwarding

Public Secure Packet Forwarding (PSPF) prevents client devices associated to an access point from inadvertently sharing files or communicating with other client devices associated to the access point. It provides Internet access to client devices without providing other capabilities of a LAN. This feature is useful for public wireless networks like those installed in airports or on college campuses.

--------------------------------------------------------------------------------

Note To prevent communication between clients associated to different access points, you must set up protected ports on the switch to which your access points are connected. See the "Configuring Protected Ports" section for instructions on setting up protected ports.

--------------------------------------------------------------------------------

To enable and disable PSPF using CLI commands on your access point, you use bridge groups. You can find a detailed explanation of bridge groups and instructions for implementing them in this document:

â€¢Cisco IOS Bridging and IBM Networking Configuration Guide, Release 12.2. Click this link to browse to the Configuring Transparent Bridging chapter: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fibm_c/bcfpart1/bcftb.htm

You can also enable and disable PSPF using the web-browser interface. The PSPF setting is on the Radio Settings pages.

PSPF is disabled by default. Beginning in privileged EXEC mode, follow these steps to enable PSPF:

Command Purpose

Step 1

configure terminal

Enter global configuration mode.

Step 2

interface dot11radio { 0 | 1 }

Enter interface configuration mode for the radio interface. The 2.4-GHz radio is radio 0, and the 5-GHz radio is radio 1.

Step 3

bridge-group group port-protected

Enable PSPF.

Step 4

end

Return to privileged EXEC mode.

Step 5

copy running-config startup-config

(Optional) Save your entries in the configuration file.

Use the no form of the command to disable PSPF.

http://www.cisco.com/en/US/docs/wireless/access_point/12.2_15_JA/configuration/guide/s15rf.html#wp1038494

Hope this helps!

Rob

Scott Fella · ‎03-29-2008

Got to give you credit on this too.... had no clue about doing this on autonomous AP's.

-Scott
*** Please rate helpful posts ***

steve.dutky · ‎04-14-2008

Rob, et al:

I have distinct ssid's, vlan's, bridge-group's, and dot11radio{0,1} sub interfaces on autonomous AP's dot1q trunked to a l3 switch.

I applied bridge-group n port-protected to dot11radio sub-interface used by the guest ssid. This does seem to disable host-to-host communication on this ssid on this AP.

I understand that to disable host communication on the same ssid between different AP's trunked to the same switch, I need to configure switchport protected on each trunk interface.

I have other privileged ssid's/bridge-groups configured on the AP's with no brdige-group port-protected.

Won't applying switchport protected disable communications between these priveleged hosts on different AP's?

Thanks.