How to prevent communication between client devices connected to different Access Points (APs) on a WLAN
Some applications require that no traffic be forwarded at Layer 2 between ports on the same switch so that one neighbor does not see the traffic generated by another neighbor. In such an environment, the use of protected ports ensures that there is no exchange of unicast, broadcast, or multicast traffic between these ports on the switch.
Protected ports have these features:
•A protected port does not forward any traffic (unicast, multicast, or broadcast) to any other port that is also a protected port. Traffic cannot be forwarded between protected ports at Layer 2; all traffic passing between protected ports must be forwarded through a Layer 3 device.
•Forwarding behavior between a protected port and a non protected port proceeds as usual.
Default Protected Port Configuration
The default is to have no protected ports defined.
Protected Port Configuration Guidelines
You can configure protected ports on a physical interface (for example, Gigabit Ethernet port 1) or an EtherChannel group (for example, port-channel 5). When you enable protected ports for a port channel, it is enabled for all ports in the port-channel group.
Configuring a Protected Port
Beginning in privileged EXEC mode, follow these steps to define a port as a protected port:
Enter global configuration mode.
Enter interface configuration mode, and enter the type and number of the interface to configure, for example gigabitethernet0/1.
Configure the interface to be a protected port.
Return to privileged EXEC mode.
show interfaces interface-idswitchport
Verify your entries.
copy running-config startup-config
(Optional) Save your entries in the configuration file.
To disable protected port, use the no switchport protected interface configuration command.
This example shows how to configure a port as a protected port:
Switch# configure terminal
Switch(config)# interface gigabitethernet0/1
Switch(config-if)# switchport protected
WLAN adapters (wireless card) / ACU (Aironet Client Utility)