Friday, 8 March 2013

Peer-to-Peer Blocking on Autonomous AP

In the CCIE wireless written exam blue print there is a section under Configure and Troubleshoot Autonomous AP deployment model, point 4.05(d) regarding peer-to-peer blocking. In my experience with WLC it is relatively straightforward to configure (an there is plenty of documentation). But it took some time to find out how to configure it on an Autonomous AP.

Firstly, It makes sense that on a guest wireless network you don't want to expose hosts on the same subnet to each other, for security reason. But if the Autonomous AP is configured in a default state it will happily forwarding frames at layer 2 between hosts on the same SSID  - this is where p2p blocking comes in.
As mentioned It took me some time to figure out how to exactly configure it

In this case I have a MBSSID configured on radio sub interface d0.10

Int d0.10
bridge-group 10 port-protected

This resulted in a failed ping between hosts connected to that ssid, what was interested to note was that hosts connected to different SSID on the same Autonomous AP could communicate with the 'guest' SSID even after I enabled protected mode. However, that makes sense as the AP is only blocking layer 2 communication. Once the packet reaches layer 3 (bound for another wireless host) the p2p command is no longer relavant because the hosts are not layer 2 peers.

I applied an ACL on the radio interface blocking communication to the 'Corporate WLAN' subnet and that solved the issue.

Note: If you had another autonomous AP broadcasting the same Guest SSID, they would be able to communicate. Security would need to be enabled on the wired infrastructure in the form of Private VLAN configuration.

Thanks to

No comments:

Post a Comment