Sunday, March 12, 2017

Configuring Public Secure Packet Forwarding (PSPF) on Cisco Autonomous Access Point

You can isolate wireless clients (on an SSID) from communicating with each other, i.e. ping, file share, etc. There's a feature called Public Secure Packet Forwarding (PSPF) which prevents exchange of unicast, broadcast, or multicast traffic between protected ports. So I tried this feature on my wireless lab before implementing it on a live network.


I've created the SSID PSPF-WIFI on the Cisco Autonomous (Standalone) AP and received a DHCP IP address configured on the router. There's a warning displayed on the Wi-Fi Setting Security Recommendation since I didn't configure any SSID authentication on the SSID, which is good for lab purposes only.



Below were the wireless devices associated to the AP.

ap#show dot11 associations

802.11 Client Stations on Dot11Radio0:

SSID [PSPF-WIFI] :

MAC Address    IP address      IPV6 address                           Device        Name            Parent         State
20a2.e410.e71f 192.168.1.8     ::                                     unknown       -               self           Assoc
4c57.caab.2d47 192.168.1.7     ::                                     unknown       -               self           Assoc
d025.9890.1cd9 192.168.1.6     ::                                     unknown       -               self           Assoc
ec55.f901.f90c 192.168.1.11    ::                                     ccx-client    -               self           Assoc


There's an iPhone app called Fing which is a handy network scanner. Just click on the Refresh /Start button (the round arrow icon on the upper right-hand corner) to start scanning the wireless network (where the iPhone has joined).



There's another iPhone app called Network Ping Lite which I've used to do ping scan on my wireless network. I've ping the subnet 192.168.1.0 first (tap the task Ping subnet) before doing individual pings (tap Ping).


There were only few wireless devices (highlighted in green) so I've stop the ping (click Stop) when it reached 15 (192.168.1.15).


I was able to initially ping 192.168.1.7 (an iPhone) and 192.168.1.11 (my PC).



My PC was also connected to PSPF-WIFI and I tried to ping other wireless devices on the network.

C:\Users\John Lloyd>ipconfig

Windows IP Configuration


Ethernet adapter Local Area Connection* 27:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Wireless LAN adapter Wireless Network Connection 2:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Wireless LAN adapter Wireless Network Connection:

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::591:a686:6d91:7d3b%13
   IPv4 Address. . . . . . . . . . . : 192.168.1.11
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.1.1

C:\Users\John Lloyd>ping 8.8.8.8

Pinging 8.8.8.8 with 32 bytes of data:
Reply from 8.8.8.8: bytes=32 time=9ms TTL=54
Reply from 8.8.8.8: bytes=32 time=11ms TTL=54
Reply from 8.8.8.8: bytes=32 time=8ms TTL=54
Reply from 8.8.8.8: bytes=32 time=18ms TTL=54

Ping statistics for 8.8.8.8:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 8ms, Maximum = 18ms, Average = 11ms


C:\Users\John Lloyd>ping 192.168.1.7     // CAN'T PING OTHER SMARTPHONE IP ADDRESS

Pinging 192.168.1.7 with 32 bytes of data:
Reply from 192.168.1.7: bytes=32 time=109ms TTL=64
Reply from 192.168.1.7: bytes=32 time=41ms TTL=64
Reply from 192.168.1.7: bytes=32 time=24ms TTL=64
Reply from 192.168.1.7: bytes=32 time=40ms TTL=64

Ping statistics for 192.168.1.7:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 24ms, Maximum = 109ms, Average = 53ms


I've configured the bridge-group <BRIDGE GROUP> port-protected under the Dot11Radio interface only.

ap#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
ap(config)#interface Dot11Radio0
ap(config-if)# bridge-group ?
  <1-255>  Assign an interface to a Bridge Group.

ap(config-if)# bridge-group 1 ?
  block-unknown-source       block traffic which come from unknown source MAC
                             address
  circuit-group              Associate serial interface with a circuit group
  input-address-list         Filter packets by source address
  input-lat-service-deny     Deny input LAT service advertisements matching a
                             group list
  input-lat-service-permit   Permit input LAT service advertisements matching a
                             group list
  input-lsap-list            Filter incoming IEEE 802.3 encapsulated packets
  input-pattern-list         Filter input with a pattern list
  input-type-list            Filter incoming Ethernet packets by type code
  output-address-list        Filter packets by destination address
  output-lat-service-deny    Deny output LAT service advertisements matching a
                             group list
  output-lat-service-permit  Permit output LAT service advertisements matching
                             a group list
  output-lsap-list           Filter outgoing IEEE 802.3 encapsulated packets
  output-pattern-list        Filter output with a pattern list
  output-type-list           Filter outgoing Ethernet packets by type code
  path-cost                  Set interface path cost
  port-protected             There will be no traffic between this interface
                             and other protected port interface in this bridge
                             group
  priority                   Set interface priority
  source-learning            learn source MAC address
  spanning-disabled          Disable spanning tree on a bridge group
  subscriber-loop-control    Configure subscriber loop control
  unicast-flooding           flood packets with unknown unicast destination MAC
                             addresses
  <cr>

ap(config-if)#bridge-group 1 port-protected


I wasn't able to ping the wireless devices after the command was applied.



The wireless devices were grayed out after I run again the Fing app.


I couldn't ping the Internet (Google DNS 8.8.8.8) when I applied bridge-group <BRIDGE GROUP> port-protected on the LAN interface (GigabitEthernet0).


Below is the working config of the Cisco Autonomous AP.

ap#show run
Building configuration...

Current configuration : 1766 bytes
!
! Last configuration change at 01:05:22 UTC Sat Jan 1 2000
version 15.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ap
!
!
logging rate-limit console 9
enable secret 5 $1$6YNS$Cwqo8igOXBbEsL4LgxGQ/1
enable password 7 01100F175804
!
no aaa new-model
no ip source-route
no ip cef
!
!
!
!
dot11 syslog
!
dot11 ssid PSPF-WIFI
   authentication open
   guest-mode
!
!
!
!
!
!
!
bridge irb
!
!
!
interface Dot11Radio0
 no ip address
 !
 ssid PSPF-WIFI
 !
 antenna gain 0
 stbc
 beamform ofdm
 channel 2437
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 port-protected      // EITHER CONFIGURE ON Dot11Radio0 (2.4 GHz) OR Dot11Radio1 (5GHz) (OR BOTH)
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
 no ip address
 !
 encryption mode wep mandatory
 antenna gain 0
 peakdetect
 dfs band 3 block
 stbc
 beamform ofdm
 channel 5180
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface GigabitEthernet0       // NO NEED TO CONFIGURE bridge-group <BRIDGE GROUP> port-protected ON LAN INTERFACE (GOING TO DISTRIBUTION SYSTEM/INTERNET)
 no ip address
 duplex auto
 speed auto
 bridge-group 1
 bridge-group 1 spanning-disabled
 no bridge-group 1 source-learning
!
interface BVI1
 mac-address c08c.601f.247d
 ip address 192.168.1.3 255.255.255.0
!
ip default-gateway 192.168.1.1
ip forward-protocol nd
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
!
!
bridge 1 route ip
!
!
banner motd ^C

*** AP ***

^C
!
line con 0
line vty 0 4
 password 7 14141B180F0B
 login
 transport input all
!
end

1 comment: