[156709] in North American Network Operators' Group
Re: Big Temporary Networks
daemon@ATHENA.MIT.EDU (=?ISO-8859-15?Q?J=C1K=D3_Andr=E1s?)
Mon Sep 24 03:04:41 2012
Date: Mon, 24 Sep 2012 09:04:07 +0200 (CEST)
From: =?ISO-8859-15?Q?J=C1K=D3_Andr=E1s?= <jako.andras@eik.bme.hu>
To: William Herrin <bill@herrin.us>
In-Reply-To: <CAP-guGXQPgfT88vq7+JN__hzHJH6qF+aGc9TtabPNt0jL+Sd2Q@mail.gmail.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
> > just a small comment: As far as I understand "AP isolation" doesn't wor=
k
> > if you don't have a WLAN controller but do have more than one APs. E.g.=
in
> > the following setup
> >
> > ap1--sw1--sw2--ap2
> >
> > with "AP isolation" turned on, clients associated to ap1 cannot
> > communicate directly with other clients associated to ap1, however they
> > can communicate directly with those associated to ap2. Broadcast from
> > ap1's clients does also get to all clients at ap2.
>=20
> Hi Andr=E1s,
>=20
> This is one place where Cisco's "switchport protected" comes in handy.
Yes, but only as long as all APs are connected to the same switch, as I=20
understand. (That's why I put two switches in the example above.)
> You can get the same effect with other brands. For example, in one
> on-the-cheap 5-AP hotspot I did, I vlaned the APs (using an older
> 802.1q capable switch) back to a Linux bridge with "ebtables --insert
> FORWARD --jump DROP". The Linux bridge was also the default router out
> of the wlan, so anything *to* the router worked but anything that
> would be forwarded was dropped instead. Works great.
Nice, that should do the trick with multiple switches too.
Regards,
Andr=E1s
