Page 1 of 1

Blocking Client to Client communication

PostPosted: Tue Jul 08, 2003 7:14 am
by wzuwerink
I have a Cisco 350 Access Point with all WET11 clients. I am attempting to secure my network from malicious or dumb customers.

I am serving my clients with a DHCP server on the same switch as the Access Point, but I fear what will happen if a customer decides to turn on a DHCP service on their own computer and how it will interfere with other customers obtaining a valid IP.

What I would like to do is block all non TCP and UDP packets going from one wireless connection to another, but still allow packets to flow between wireless connections and the AP's Ethernet NIC. I am unsure how to do this.

Another issue I am having is the ability to block network access for MAC's behind the WET11's, since their ARP shows the MAC of the WET11 and not there own. My only option so far is to use reservations on my DHCP server since that still registers the computers MAC and not the WET11 unlike ARP.

Any suggestions or help on configuring the Cisco 350 AP would be appreciated.

PostPosted: Tue Jul 08, 2003 7:29 am
by Thorn
A couple of suggestions:
To block based on TCP/UDP packets, you will really need to use wireless router rather than the AP and the switch. I don't think the 350 has that capacity built-in. Mikrotik also makes some good hardware and software solutions for this.

Upgrade the WET11 firmware to v1.54. Enable the "MAC Fowarding" option, and the ARP should show the MACs that are behind a given WET11. Then you should be able to used the 350's MCL.

PostPosted: Tue Jul 08, 2003 8:22 am
by Madhadder
Or try a nice Cisco Catalyst switch....They go cheap on Ebay...
Then you could setup VPN's and ACL's till your hearts content..




PS: Happy 600th to me!!!! :D

Thanks.

PostPosted: Tue Jul 08, 2003 11:18 am
by wzuwerink
The new firmware for the WET11 is just what I needed to start filtering out unwanted MAC address's, thanks!

While I was getting my MAC authentication setup I ran across a setting on the 350 for enabling PSPF, which happens to be exactly what I wanted in terms of blocking clients from accessing other clients.

PostPosted: Tue Jul 08, 2003 2:17 pm
by TheSovereign
as long as u use a microsoft type server like 2kAS or 2k3
it wont allow other dhcp servers on the network without an authorize

thats if your clients are microsoft based :)
if u got linux clients your SOL