> > just a small comment: As far as I understand "AP isolation" doesn't work > > if you don't have a WLAN controller but do have more than one APs. E.g. in > > the following setup > > > > ap1--sw1--sw2--ap2 > > > > with "AP isolation" turned on, clients associated to ap1 cannot > > communicate directly with other clients associated to ap1, however they > > can communicate directly with those associated to ap2. Broadcast from > > ap1's clients does also get to all clients at ap2. > > Hi András, > > This is one place where Cisco's "switchport protected" comes in handy.
Yes, but only as long as all APs are connected to the same switch, as I understand. (That's why I put two switches in the example above.) > You can get the same effect with other brands. For example, in one > on-the-cheap 5-AP hotspot I did, I vlaned the APs (using an older > 802.1q capable switch) back to a Linux bridge with "ebtables --insert > FORWARD --jump DROP". The Linux bridge was also the default router out > of the wlan, so anything *to* the router worked but anything that > would be forwarded was dropped instead. Works great. Nice, that should do the trick with multiple switches too. Regards, András
