AP to AP peer-to-peer blocking

Unanswered Question
Aug 4th, 2009

If you have two autonomous AP's, both with the same user vlan and subnet, is there a way to block users from one AP communicating with users on the second AP.

I know you can use PSPF for users connected to the same AP but need the best way to stop them when connected to seperate AP's in same vlan.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
rob.huffman Tue, 08/04/2009 - 10:17

Hi Mat,

Here is the second part of the config for using PSPF;

Configuring Protected Ports

To prevent communication between client devices associated to different access points on your wireless LAN, you must set up protected ports on the switch to which your access points are connected. Follow these steps to set up protected ports on your switch:

Beginning in privileged EXEC mode, follow these steps to define a port on your switch as a protected port:

Command Purpose

Step 1

configure terminal

Enter global configuration mode.

Step 2

interface interface-id

Enter interface configuration mode, and enter the type and number of the switchport interface to configure, such as gigabitethernet0/1.

Step 3

switchport protected

Configure the interface to be a protected port.

Step 4


Return to privileged EXEC mode.

Step 5

show interfaces interface-id switchport

Verify your entries.

Step 6

copy running-config startup-config

(Optional) Save your entries in the configuration file.

To disable protected port, use the no switchport protected interface configuration command.


Hope this helps!


mat.edwards Tue, 08/04/2009 - 10:29

Thanks Rob that is exactly what I was looking for.

Following the link I am quickly realising that I am being lazy and should have read through the config guide before posting -5 points to me!

rob.huffman Tue, 08/04/2009 - 12:02

Hey Mat,

No worries my friend! Haven't we all missed something in these endless reams of docs, I know I have :)



mat.edwards Wed, 08/05/2009 - 00:06

just to add more into the mix. The user VLAN will be layer 3 so presumably the users will be able to communicate via the SVI? Can you use an ACL to prevent users in the same vlan communicating or will I need to move over to Private VLANs?

Also there would be two interconnected switches in the same user vlan.


This Discussion



Trending Topics - Security & Network