Blocking Client to Client communication

Configuration and operational information about stumbled AP's

Blocking Client to Client communication

Postby wzuwerink » Tue Jul 08, 2003 7:14 am

I have a Cisco 350 Access Point with all WET11 clients. I am attempting to secure my network from malicious or dumb customers.

I am serving my clients with a DHCP server on the same switch as the Access Point, but I fear what will happen if a customer decides to turn on a DHCP service on their own computer and how it will interfere with other customers obtaining a valid IP.

What I would like to do is block all non TCP and UDP packets going from one wireless connection to another, but still allow packets to flow between wireless connections and the AP's Ethernet NIC. I am unsure how to do this.

Another issue I am having is the ability to block network access for MAC's behind the WET11's, since their ARP shows the MAC of the WET11 and not there own. My only option so far is to use reservations on my DHCP server since that still registers the computers MAC and not the WET11 unlike ARP.

Any suggestions or help on configuring the Cisco 350 AP would be appreciated.
Mini Stumbler
Posts: 10
Joined: Tue Jul 08, 2003 6:46 am

Postby Thorn » Tue Jul 08, 2003 7:29 am

A couple of suggestions:
To block based on TCP/UDP packets, you will really need to use wireless router rather than the AP and the switch. I don't think the 350 has that capacity built-in. Mikrotik also makes some good hardware and software solutions for this.

Upgrade the WET11 firmware to v1.54. Enable the "MAC Fowarding" option, and the ARP should show the MACs that are behind a given WET11. Then you should be able to used the 350's MCL.
Stop the TSA now! Boycott the airlines.
Posts: 10340
Joined: Sat Apr 13, 2002 3:00 am
Location: Villa Straylight

Postby Madhadder » Tue Jul 08, 2003 8:22 am

Or try a nice Cisco Catalyst switch....They go cheap on Ebay...
Then you could setup VPN's and ACL's till your hearts content..

PS: Happy 600th to me!!!! :D
Legends may sleep, but they never die!!!!
User avatar
Posts: 1619
Joined: Sat Apr 13, 2002 5:37 am
Location: Munich, Germany


Postby wzuwerink » Tue Jul 08, 2003 11:18 am

The new firmware for the WET11 is just what I needed to start filtering out unwanted MAC address's, thanks!

While I was getting my MAC authentication setup I ran across a setting on the 350 for enabling PSPF, which happens to be exactly what I wanted in terms of blocking clients from accessing other clients.
Mini Stumbler
Posts: 10
Joined: Tue Jul 08, 2003 6:46 am

Postby TheSovereign » Tue Jul 08, 2003 2:17 pm

as long as u use a microsoft type server like 2kAS or 2k3
it wont allow other dhcp servers on the network without an authorize

thats if your clients are microsoft based :)
if u got linux clients your SOL
SO SAYS TheSovereign
User avatar
Posts: 658
Joined: Sun Jun 30, 2002 2:35 am
Location: chicago

Return to AP Information

Who is online

Users browsing this forum: No registered users and 2 guests