Disable client to client communication

Answered Question
Mar 28th, 2008
User Badges:

Looking for a way to setup a wireless network and have the ability to deny client to client access between hosts on the AP.

Correct Answer by Rob Huffman about 9 years 2 months ago

Hi Chris,


Just to add a note to the great info from Scott (5 points for this one Scott :) This is possible in Autonomous AP's as well;



Enabling and Disabling Public Secure Packet Forwarding

Public Secure Packet Forwarding (PSPF) prevents client devices associated to an access point from inadvertently sharing files or communicating with other client devices associated to the access point. It provides Internet access to client devices without providing other capabilities of a LAN. This feature is useful for public wireless networks like those installed in airports or on college campuses.




--------------------------------------------------------------------------------


Note To prevent communication between clients associated to different access points, you must set up protected ports on the switch to which your access points are connected. See the "Configuring Protected Ports" section for instructions on setting up protected ports.



--------------------------------------------------------------------------------


To enable and disable PSPF using CLI commands on your access point, you use bridge groups. You can find a detailed explanation of bridge groups and instructions for implementing them in this document:


•Cisco IOS Bridging and IBM Networking Configuration Guide, Release 12.2. Click this link to browse to the Configuring Transparent Bridging chapter: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fibm_c/bcfpart1/bcftb.htm


You can also enable and disable PSPF using the web-browser interface. The PSPF setting is on the Radio Settings pages.


PSPF is disabled by default. Beginning in privileged EXEC mode, follow these steps to enable PSPF:



Command Purpose

Step 1

configure terminal

Enter global configuration mode.


Step 2

interface dot11radio { 0 | 1 }

Enter interface configuration mode for the radio interface. The 2.4-GHz radio is radio 0, and the 5-GHz radio is radio 1.


Step 3

bridge-group group port-protected

Enable PSPF.


Step 4

end

Return to privileged EXEC mode.


Step 5

copy running-config startup-config

(Optional) Save your entries in the configuration file.




Use the no form of the command to disable PSPF.


http://www.cisco.com/en/US/docs/wireless/access_point/12.2_15_JA/configuration/guide/s15rf.html#wp1038494


Hope this helps!

Rob


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (4 ratings)
Loading.
Scott Fella Sat, 03/29/2008 - 10:42
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

If you are running LWAP's and WLC 4.2 you can enable P2P Blocking. I don't think you can configure anything on Autonomous AP's though.


http://www.cisco.com/en/US/docs/wireless/controller/4.2/configuration/guide/c42wlan.html

Correct Answer
Rob Huffman Sat, 03/29/2008 - 10:52
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 IP Telephony, Unified Communications

Hi Chris,


Just to add a note to the great info from Scott (5 points for this one Scott :) This is possible in Autonomous AP's as well;



Enabling and Disabling Public Secure Packet Forwarding

Public Secure Packet Forwarding (PSPF) prevents client devices associated to an access point from inadvertently sharing files or communicating with other client devices associated to the access point. It provides Internet access to client devices without providing other capabilities of a LAN. This feature is useful for public wireless networks like those installed in airports or on college campuses.




--------------------------------------------------------------------------------


Note To prevent communication between clients associated to different access points, you must set up protected ports on the switch to which your access points are connected. See the "Configuring Protected Ports" section for instructions on setting up protected ports.



--------------------------------------------------------------------------------


To enable and disable PSPF using CLI commands on your access point, you use bridge groups. You can find a detailed explanation of bridge groups and instructions for implementing them in this document:


•Cisco IOS Bridging and IBM Networking Configuration Guide, Release 12.2. Click this link to browse to the Configuring Transparent Bridging chapter: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fibm_c/bcfpart1/bcftb.htm


You can also enable and disable PSPF using the web-browser interface. The PSPF setting is on the Radio Settings pages.


PSPF is disabled by default. Beginning in privileged EXEC mode, follow these steps to enable PSPF:



Command Purpose

Step 1

configure terminal

Enter global configuration mode.


Step 2

interface dot11radio { 0 | 1 }

Enter interface configuration mode for the radio interface. The 2.4-GHz radio is radio 0, and the 5-GHz radio is radio 1.


Step 3

bridge-group group port-protected

Enable PSPF.


Step 4

end

Return to privileged EXEC mode.


Step 5

copy running-config startup-config

(Optional) Save your entries in the configuration file.




Use the no form of the command to disable PSPF.


http://www.cisco.com/en/US/docs/wireless/access_point/12.2_15_JA/configuration/guide/s15rf.html#wp1038494


Hope this helps!

Rob


Scott Fella Sat, 03/29/2008 - 16:34
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

Got to give you credit on this too.... had no clue about doing this on autonomous AP's.

steve.dutky Mon, 04/14/2008 - 07:54
User Badges:

Rob, et al:


I have distinct ssid's, vlan's, bridge-group's, and dot11radio{0,1} sub interfaces on autonomous AP's dot1q trunked to a l3 switch.


I applied bridge-group n port-protected to dot11radio sub-interface used by the guest ssid. This does seem to disable host-to-host communication on this ssid on this AP.


I understand that to disable host communication on the same ssid between different AP's trunked to the same switch, I need to configure switchport protected on each trunk interface.


I have other privileged ssid's/bridge-groups configured on the AP's with no brdige-group port-protected.


Won't applying switchport protected disable communications between these priveleged hosts on different AP's?


Thanks.


Actions

This Discussion

 

 

Trending Topics - Security & Network