Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1423
Views
0
Helpful
3
Replies

Intra-BSS Security

CSCO11733516
Level 1
Level 1

‎03-04-2013 02:20 PM - edited ‎07-03-2021 11:40 PM

How would you implement Intra-BSS Security, so that users utilizing the same AP could not speak to each other?  For example, user A could not ping user B.

Could you do the same as above, even if the users were on the same subnet?

It is my understanding that a solution to prevent Intra-BSS communication would not be aopplicable for a WDS - is this correct?       

Labels:
0 Helpful
3 Replies 3

Stephen Rodriguez
Cisco Employee
Cisco Employee

‎03-04-2013 02:34 PM

No, it would be applicable across the SSID, no matter if you are using WDS or not.

In the GUI it's called PSPF, Public Secure Packet Forwarding

From the CLI you would put this under the radio sub-interface.

bridge-group group port-protected

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered
0 Helpful

CSCO11733516
Level 1
Level 1
In response to Stephen Rodriguez

‎03-04-2013 04:08 PM

Stephen-

So to clarify, you would enable this on a per WLAN basis.  Then any client connected to that SSID, regardless of their IP Subnet or the AP they are connected to - would not be able to speak to each other, correct?

Part II of that question, so does that mean I would not need to apply any type of ACL and just enable the listed setting?

0 Helpful

maldehne
Cisco Employee
Cisco Employee

‎03-04-2013 10:53 PM

PSPF will do the job.

different scenarios to use it:

1)preventing users on the same SSID/VLAN on the same AP

all you need to do is to configure bridge-group <#> port-protected under the radio interface at which the ssid is enabled

2)users on different SSID/VLAN on the same AP

On the AP, you need to configuer  an IP outbound filter (ACL ) under each dot1q ethernet sub-interface to filter out the client to client traffic.

3)users on the same SSID/VLAN on different APs

You need to configure ip outbound filter under each dot1q ethernet subinterface to filter out client to client traffic

or

on the AP configure bridge-group <#> port-protected under the dot11radio sub-interface, and on the switch configure switchport protected for the switch ports of the AP.

-----------------------------------------------------------------------------------------------

Please Make sure to rate correct answers

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card