You can isolate wireless clients (on an SSID) from communicating with each other, i.e. ping, file share, etc. There's a feature called Public Secure Packet Forwarding (PSPF) which prevents exchange of unicast, broadcast, or multicast traffic between protected ports. So I tried this feature on my wireless lab before implementing it on a live network.
I've created the SSID PSPF-WIFI on the Cisco Autonomous (Standalone) AP and received a DHCP IP address configured on the router. There's a warning displayed on the Wi-Fi Setting Security Recommendation since I didn't configure any SSID authentication on the SSID, which is good for lab purposes only.
Below were the wireless devices associated to the AP.
ap#show dot11 associations
802.11 Client Stations on Dot11Radio0:
SSID [PSPF-WIFI] :
MAC Address IP address IPV6 address Device Name Parent State
20a2.e410.e71f 192.168.1.8 :: unknown - self Assoc
4c57.caab.2d47 192.168.1.7 :: unknown - self Assoc
d025.9890.1cd9 192.168.1.6 :: unknown - self Assoc
ec55.f901.f90c 192.168.1.11 :: ccx-client - self Assoc
There's an iPhone app called Fing which is a handy network scanner. Just click on the Refresh /Start button (the round arrow icon on the upper right-hand corner) to start scanning the wireless network (where the iPhone has joined).
There's another iPhone app called Network Ping Lite which I've used to do ping scan on my wireless network. I've ping the subnet 192.168.1.0 first (tap the task Ping subnet) before doing individual pings (tap Ping).
I was able to initially ping 192.168.1.7 (an iPhone) and 192.168.1.11 (my PC).
My PC was also connected to PSPF-WIFI and I tried to ping other wireless devices on the network.
C:\Users\John Lloyd>ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection* 27:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Wireless LAN adapter Wireless Network Connection 2:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Wireless LAN adapter Wireless Network Connection:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::591:a686:6d91:7d3b%13
IPv4 Address. . . . . . . . . . . : 192.168.1.11
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
C:\Users\John Lloyd>ping 8.8.8.8
Pinging 8.8.8.8 with 32 bytes of data:
Reply from 8.8.8.8: bytes=32 time=9ms TTL=54
Reply from 8.8.8.8: bytes=32 time=11ms TTL=54
Reply from 8.8.8.8: bytes=32 time=8ms TTL=54
Reply from 8.8.8.8: bytes=32 time=18ms TTL=54
Ping statistics for 8.8.8.8:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 8ms, Maximum = 18ms, Average = 11ms
C:\Users\John Lloyd>ping 192.168.1.7 // CAN'T PING OTHER SMARTPHONE IP ADDRESS
Pinging 192.168.1.7 with 32 bytes of data:
Reply from 192.168.1.7: bytes=32 time=109ms TTL=64
Reply from 192.168.1.7: bytes=32 time=41ms TTL=64
Reply from 192.168.1.7: bytes=32 time=24ms TTL=64
Reply from 192.168.1.7: bytes=32 time=40ms TTL=64
Ping statistics for 192.168.1.7:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 24ms, Maximum = 109ms, Average = 53ms
I've configured the bridge-group <BRIDGE GROUP> port-protected under the Dot11Radio interface only.
ap#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
ap(config)#interface Dot11Radio0
ap(config-if)# bridge-group ?
<1-255> Assign an interface to a Bridge Group.
ap(config-if)# bridge-group 1 ?
block-unknown-source block traffic which come from unknown source MAC
address
circuit-group Associate serial interface with a circuit group
input-address-list Filter packets by source address
input-lat-service-deny Deny input LAT service advertisements matching a
group list
input-lat-service-permit Permit input LAT service advertisements matching a
group list
input-lsap-list Filter incoming IEEE 802.3 encapsulated packets
input-pattern-list Filter input with a pattern list
input-type-list Filter incoming Ethernet packets by type code
output-address-list Filter packets by destination address
output-lat-service-deny Deny output LAT service advertisements matching a
group list
output-lat-service-permit Permit output LAT service advertisements matching
a group list
output-lsap-list Filter outgoing IEEE 802.3 encapsulated packets
output-pattern-list Filter output with a pattern list
output-type-list Filter outgoing Ethernet packets by type code
path-cost Set interface path cost
port-protected There will be no traffic between this interface
and other protected port interface in this bridge
group
priority Set interface priority
source-learning learn source MAC address
spanning-disabled Disable spanning tree on a bridge group
subscriber-loop-control Configure subscriber loop control
unicast-flooding flood packets with unknown unicast destination MAC
addresses
<cr>
ap(config-if)#bridge-group 1 port-protected
I wasn't able to ping the wireless devices after the command was applied.
The wireless devices were grayed out after I run again the Fing app.
I couldn't ping the Internet (Google DNS 8.8.8.8) when I applied bridge-group <BRIDGE GROUP> port-protected on the LAN interface (GigabitEthernet0).
Below is the working config of the Cisco Autonomous AP.
ap#show run
Building configuration...
Current configuration : 1766 bytes
!
! Last configuration change at 01:05:22 UTC Sat Jan 1 2000
version 15.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ap
!
!
logging rate-limit console 9
enable secret 5 $1$6YNS$Cwqo8igOXBbEsL4LgxGQ/1
enable password 7 01100F175804
!
no aaa new-model
no ip source-route
no ip cef
!
!
!
!
dot11 syslog
!
dot11 ssid PSPF-WIFI
authentication open
guest-mode
!
!
!
!
!
!
!
bridge irb
!
!
!
interface Dot11Radio0
no ip address
!
ssid PSPF-WIFI
!
antenna gain 0
stbc
beamform ofdm
channel 2437
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 port-protected // EITHER CONFIGURE ON Dot11Radio0 (2.4 GHz) OR Dot11Radio1 (5GHz) (OR BOTH)
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
no ip address
!
encryption mode wep mandatory
antenna gain 0
peakdetect
dfs band 3 block
stbc
beamform ofdm
channel 5180
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface GigabitEthernet0 // NO NEED TO CONFIGURE bridge-group <BRIDGE GROUP> port-protected ON LAN INTERFACE (GOING TO DISTRIBUTION SYSTEM/INTERNET)
no ip address
duplex auto
speed auto
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
!
interface BVI1
mac-address c08c.601f.247d
ip address 192.168.1.3 255.255.255.0
!
ip default-gateway 192.168.1.1
ip forward-protocol nd
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
!
!
bridge 1 route ip
!
!
banner motd ^C
*** AP ***
^C
!
line con 0
line vty 0 4
password 7 14141B180F0B
login
transport input all
!
end
I've created the SSID PSPF-WIFI on the Cisco Autonomous (Standalone) AP and received a DHCP IP address configured on the router. There's a warning displayed on the Wi-Fi Setting Security Recommendation since I didn't configure any SSID authentication on the SSID, which is good for lab purposes only.
Below were the wireless devices associated to the AP.
ap#show dot11 associations
802.11 Client Stations on Dot11Radio0:
SSID [PSPF-WIFI] :
MAC Address IP address IPV6 address Device Name Parent State
20a2.e410.e71f 192.168.1.8 :: unknown - self Assoc
4c57.caab.2d47 192.168.1.7 :: unknown - self Assoc
d025.9890.1cd9 192.168.1.6 :: unknown - self Assoc
ec55.f901.f90c 192.168.1.11 :: ccx-client - self Assoc
There's an iPhone app called Fing which is a handy network scanner. Just click on the Refresh /Start button (the round arrow icon on the upper right-hand corner) to start scanning the wireless network (where the iPhone has joined).
There's another iPhone app called Network Ping Lite which I've used to do ping scan on my wireless network. I've ping the subnet 192.168.1.0 first (tap the task Ping subnet) before doing individual pings (tap Ping).
There were only few wireless devices (highlighted in green) so I've stop the ping (click Stop) when it reached 15 (192.168.1.15).
I was able to initially ping 192.168.1.7 (an iPhone) and 192.168.1.11 (my PC).
My PC was also connected to PSPF-WIFI and I tried to ping other wireless devices on the network.
C:\Users\John Lloyd>ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection* 27:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Wireless LAN adapter Wireless Network Connection 2:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Wireless LAN adapter Wireless Network Connection:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::591:a686:6d91:7d3b%13
IPv4 Address. . . . . . . . . . . : 192.168.1.11
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
C:\Users\John Lloyd>ping 8.8.8.8
Pinging 8.8.8.8 with 32 bytes of data:
Reply from 8.8.8.8: bytes=32 time=9ms TTL=54
Reply from 8.8.8.8: bytes=32 time=11ms TTL=54
Reply from 8.8.8.8: bytes=32 time=8ms TTL=54
Reply from 8.8.8.8: bytes=32 time=18ms TTL=54
Ping statistics for 8.8.8.8:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 8ms, Maximum = 18ms, Average = 11ms
C:\Users\John Lloyd>ping 192.168.1.7 // CAN'T PING OTHER SMARTPHONE IP ADDRESS
Pinging 192.168.1.7 with 32 bytes of data:
Reply from 192.168.1.7: bytes=32 time=109ms TTL=64
Reply from 192.168.1.7: bytes=32 time=41ms TTL=64
Reply from 192.168.1.7: bytes=32 time=24ms TTL=64
Reply from 192.168.1.7: bytes=32 time=40ms TTL=64
Ping statistics for 192.168.1.7:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 24ms, Maximum = 109ms, Average = 53ms
I've configured the bridge-group <BRIDGE GROUP> port-protected under the Dot11Radio interface only.
ap#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
ap(config)#interface Dot11Radio0
ap(config-if)# bridge-group ?
<1-255> Assign an interface to a Bridge Group.
ap(config-if)# bridge-group 1 ?
block-unknown-source block traffic which come from unknown source MAC
address
circuit-group Associate serial interface with a circuit group
input-address-list Filter packets by source address
input-lat-service-deny Deny input LAT service advertisements matching a
group list
input-lat-service-permit Permit input LAT service advertisements matching a
group list
input-lsap-list Filter incoming IEEE 802.3 encapsulated packets
input-pattern-list Filter input with a pattern list
input-type-list Filter incoming Ethernet packets by type code
output-address-list Filter packets by destination address
output-lat-service-deny Deny output LAT service advertisements matching a
group list
output-lat-service-permit Permit output LAT service advertisements matching
a group list
output-lsap-list Filter outgoing IEEE 802.3 encapsulated packets
output-pattern-list Filter output with a pattern list
output-type-list Filter outgoing Ethernet packets by type code
path-cost Set interface path cost
port-protected There will be no traffic between this interface
and other protected port interface in this bridge
group
priority Set interface priority
source-learning learn source MAC address
spanning-disabled Disable spanning tree on a bridge group
subscriber-loop-control Configure subscriber loop control
unicast-flooding flood packets with unknown unicast destination MAC
addresses
<cr>
ap(config-if)#bridge-group 1 port-protected
I wasn't able to ping the wireless devices after the command was applied.
The wireless devices were grayed out after I run again the Fing app.
I couldn't ping the Internet (Google DNS 8.8.8.8) when I applied bridge-group <BRIDGE GROUP> port-protected on the LAN interface (GigabitEthernet0).
Below is the working config of the Cisco Autonomous AP.
ap#show run
Building configuration...
Current configuration : 1766 bytes
!
! Last configuration change at 01:05:22 UTC Sat Jan 1 2000
version 15.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ap
!
!
logging rate-limit console 9
enable secret 5 $1$6YNS$Cwqo8igOXBbEsL4LgxGQ/1
enable password 7 01100F175804
!
no aaa new-model
no ip source-route
no ip cef
!
!
!
!
dot11 syslog
!
dot11 ssid PSPF-WIFI
authentication open
guest-mode
!
!
!
!
!
!
!
bridge irb
!
!
!
interface Dot11Radio0
no ip address
!
ssid PSPF-WIFI
!
antenna gain 0
stbc
beamform ofdm
channel 2437
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 port-protected // EITHER CONFIGURE ON Dot11Radio0 (2.4 GHz) OR Dot11Radio1 (5GHz) (OR BOTH)
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
no ip address
!
encryption mode wep mandatory
antenna gain 0
peakdetect
dfs band 3 block
stbc
beamform ofdm
channel 5180
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface GigabitEthernet0 // NO NEED TO CONFIGURE bridge-group <BRIDGE GROUP> port-protected ON LAN INTERFACE (GOING TO DISTRIBUTION SYSTEM/INTERNET)
no ip address
duplex auto
speed auto
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
!
interface BVI1
mac-address c08c.601f.247d
ip address 192.168.1.3 255.255.255.0
!
ip default-gateway 192.168.1.1
ip forward-protocol nd
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
!
!
bridge 1 route ip
!
!
banner motd ^C
*** AP ***
^C
!
line con 0
line vty 0 4
password 7 14141B180F0B
login
transport input all
!
end
Thanks John, very detailed post
ReplyDelete