Cisco Wireless :: How To Block P2P Traffic Of Clients Connected To Same SSID On WLC 4400
Feb 2, 2010
I use two wlc 4400 (4.2.x version) with a mobility domain and one ssid, both wlc are connected to a cisco l2 switch infrastructure. On the wlc I use the p2p blocking action 'drop' [URL] to isolate the clients from each other. Does only unicast traffic is blocked or also multicast and broadcast traffic like arp requests?Concerning blocking p2p traffic of clients connected to the same ssid but different controllers I found the following statement in the LAP FAQs [URL]
Q. In autonomous APs, Public Secure Packet Forwarding (PSPF) is used to avoid client devices associated to this AP from inadvertently sharing files with other client devices on the wireless network. Is there any equivalent feature in Lightweight APs?
A. The feature or the mode that performs the similar function of PSPF in lightweight architecture is called peer-to-peer blocking mode. Peer-to-peer blocking mode is actually available with the controllers that manage the LAP. If this mode is disabled on the controller (which is the default setting), it allows the wireless clients to communicate with each other through the controller. If the mode is enabled, it blocks the communication between clients through the controller. It only works among the APs that have joined to the same controller. When enabled, this mode does not block wireless clients terminated on one controller from the ability to get to wireless clients terminated on a different controller, even in the same mobility group.
what's the best practise to prevent this inter wlc client traffic? I already read about using acls on the wlc dynamic interfaces, or private vlans on the l2 switch vlans where the dynamic interfaces are connected to. Is it allowed to completely isolate the wlc from each other on these dynamic interfaces with acls or private vlans or do the wlc need to see each other on this interfaces (e.g. heart beat)?
View 19 Replies
ADVERTISEMENT
May 21, 2013
My controller is vWLC installed in ESXi which has to vNet Cards configured with all vlans(4095), then it is connected to a 3560 switch with trunk. The configuration of the switch interface is as belows: The SSID is BYOD and I can connect the SSID and get the IP address such as 10.10.10.118/24, but for now, i cannot ping 10.10.10.1, but i can ping 10.10.10.90.
View 3 Replies
View Related
Sep 24, 2012
We have a new SSID that needs to be added to an AP through a 4400 Controller with software version
7.0.116.0
All AP's are configured as Lightweight.
View 4 Replies
View Related
Feb 26, 2013
What is the best way to isolate hosts on WiFi network managed with 4400 controllers so they only see def gw but not each other, something like "switchport protected" but for WiFi ....
View 4 Replies
View Related
Mar 18, 2011
Is there any chance to access files on 4400 with ssh (winscp etc.) clients ?
For example we upload webauth bundle and then we want to delete it and recopy another files..
View 4 Replies
View Related
Nov 15, 2011
I have a WAP4410n which has been configured with a single SSID since implementation several weeks ago with no issues. I am now trying to add a second SSID and not having any success. Originally the second SSID was not being assigned a MAC address and thus not being broadcasted. After upgrading firmware to 2.0.4.2 I now see a MAC address associated with second SSID and it is being seen by clients, but they still cannot connect. I reset the AP to default settings and reconfigured from scratch but still no luck. I have two of these APs, the other one is still at FW rev 2.0.1.0 and has same issue (it does have MAC address associated with second SSID so I didn't bother upgrading firmware yet).
I have tried a few different authetication options, including disabling authentication, to no avail. Question - I do not see an IP address associated with the second SSID - is that the problem and if so, how do I fix that?
View 1 Replies
View Related
Jan 26, 2011
I am administrating a wireless network consisting of 11 APs, ASA 5510, WLC 4402 and Router 1760.The network is sharing an internet connection to all guests without charge so I have no need for authorisation of guests.I would like to implement a splash page that would be shown to all clients when they first connect. The splash page is supposed have only the basic information about the provided service and no logon.Is there a way to do this without purchasing an ACS?
View 3 Replies
View Related
Aug 23, 2012
I just got a WAP321 to replace a very frustrating WAP4410, what is the the SNMP OID to obtain associated wireless clients for each of the SSIDs ? I'd be happy with any OID for client numbers so total clients associated will be fine.
View 6 Replies
View Related
Apr 9, 2013
Region : Others
Model : TL-WR941ND
Hardware Version : V3
Firmware Version : 3.13.9 Build 120201 Rel.54965n
We are trying to use a TL-WR941ND purchased about a month ago, but it keeps hanging, usually within a day or so of operation.To be clear: by "hanging" I mean the device stops providing wireless services (its SSID is no longer visible in WiFi clients) and becomes nonresponsive to pings or control access attempts (via settings web page) from the internal network connections.The device is used in a very simple scenario, where it's being employed as a simple access point, not as a router. As such, the device's configuration is as follows:
* WAN interface is configured with a dummy static IP (10.10.10.10/24) with gateway and DNS set to the internal IP address of the actual routing device connected to the external world.
* LAN interface is configured with an IP address inside the actual internal IP subnet (192.168.1.0/24).
* DHCP is also disabled as this service is already provided.
* Wireless settings: radio enabled, SSID broadcast enabled, WDS disabled, 11bgn mixed mode, auto channel width, max TX rate, channel 7 (manually set). Using WPA-PSK security.
Rest of the settings are unchanged from their default values, as the device isn't being used as an IP router by any client - just as a WiFi/Ethernet layer 2 bridge. We're using what appears to be TP-Link's latest stock firmware for the device.The settings described above appear to provide the connectivity required by the WiFi clients. However, the device continuously hangs within a day or so of operation, requiring someone to physically attend to the device and cold-restarting it (disconnecting it from power and reconnecting it) to regain an operational state.
After performing a cold restart, the system log shows nothing beyond the startup entries: "System started" entry followed by security info entries regarding enabled protocols. Then the device appears to work well for a while, until it hangs again, forcing again someone to attend to the device, etc.
View 6 Replies
View Related
Dec 4, 2012
I was wondering if it was possible to block imessage to specific clients on the EA6500.These are the ips apple uses for imessage I need to create a firewall rule that blocks these ips from reaching a specific client on the network.
[code]....
View 1 Replies
View Related
Apr 29, 2012
I have an ASA 5520 with the below config
Gi0/0: outside (Internet)
Gi0/1: inside (Internal users)
Gi0/2: DMZ (web servers, ftp, Mail etc..)
I have a SMTP relay deployed on the DMZ for mailing. I have also a mail servers installed in the internal lan,
I want to allow trafic from dmz to reach internal lan, and i want normally also allow stmp relay from dmz to reach Internet.
How can i block trafic from DMZ to reach Internal Lan (instead of smtp) if the to allow trafic from dmz to internet i must put ANY in the policy?
For allowing trafic from DMZ to reach Internet, the policy must be DMZ -----> ANY ----->Services., this policy means DMZ can implicity reach Internal Lan?
View 2 Replies
View Related
Mar 15, 2011
I manage a wireless mesh solution (WLC 4404,4.2.176.51M (Mesh)) with some types of LAP, namelly,LAP1510, AIR-LAP1242AG-E-K9 and AIR-LAP1242G-E-K9.
We also use a freeware solution to have some graphs (collect by SNMP), namely for: Clients per AP, Noise and Interference, Channel Util, etc.
My question is about collect (by SNMP) the traffic (inOctets,outOctets) by access point, to have traffic utilization for both Radio (A and B/G) and ethernet interfaces of each access point... I can't find it on the MIBs... It´s possible?
View 1 Replies
View Related
Oct 25, 2012
I have a wireless network with LWAPPs and 1 WLC 5508. How to block communication between SSIDs (clients in different SSIDs bassically) and whether that is even possible from the controller? I'd like to mention that communication between clients whithin the same SSID is already blocked.
View 4 Replies
View Related
Jun 5, 2012
I have installed an SR520 with wireless for a client. They have asked if there is an easy way for them to monitor who is connected to the wireless at any given point in time. They are not capable of using the IOS command line.
View 1 Replies
View Related
Jan 1, 2013
i have ~ 25 employees which are connected to the AP . I have a 2mb dl and 2mb ul microwave lease line.The AP disconnects ever couple of hours for a minute?
View 3 Replies
View Related
Feb 14, 2013
IP addresses of the clients connected to Wireless end points are not getting resolved in LMS 4.2 user tracking ? Whether LMS will resolve IP addresses of the clients connected through Wireless end points ?
Note : Those wireless end points are not monitored by LMS
View 1 Replies
View Related
May 8, 2013
My question relates to how many clients can be connected to a 2600 series AP. The documentation states 200 clients per radio and the AP has three radios. However when my AP gets to 200 it rejects further clients with the following log: [code] I see this exact message many times and each time the radio mac address is the same and the number of clients connected is 199. The same mac address is used for both 2.4ghz and 5ghz so does this AP have a single logical radio covering both 2.4 and 5ghz frequency ranges and is the limit for all connected clients 200?When viewing the AP details under the Wireless tab it only lists one mac address for each AP for both 2.4ghz and 5ghz frequencies.
View 11 Replies
View Related
Mar 11, 2012
I have 1242AG. how many clients can be connected to this AP??
View 4 Replies
View Related
Mar 16, 2013
is any way to get information about clients connected to an AP WAP200?
View 2 Replies
View Related
May 15, 2013
I just installed an Aironet 1602i, standalone WAP. I have it configured to use a RADIUS server in our office. However, two issues have come up when trying to get clients connected.
iPhones and iPads won't connect to either the 2.4 or the 5 GHz radios.
No one can connect to the 5 Ghz radio.
Both radios are UP according to the GUI interfaces of the WAP. Also, laptops and android devices are able to connect to the 2.4GHz radio but not the 5 GHz radio.
I am on the latest version of the firmware.
View 1 Replies
View Related
Oct 15, 2012
How many wireless clients can connect to a single WAP321 Access Point?
View 2 Replies
View Related
Feb 5, 2013
Recently I have installed and configurated an AP 1260, it has already IP, SSID, and ping to the router, but after install the antenna I open the web configuration and see that it has 0 clients connected and the light is always green, indicated as only is configurated with nobody connected.
Tha radio setting is up, 2,4 Ghz and 5 Ghz any issue with the antenna? or i need to configure anything else?
View 1 Replies
View Related
Oct 20, 2012
i use ASA 5510 and i want to block some urls :
-192.168.2.70 to 79 allow every thing
-192.168.2.80 to 89 : block facebook , myspace, twiter,
-192.168.2.90 to 99 : block facebook , myspace, twiter, youtube , dailymotion
-192.168.2.100 to 199 deny everting
View 1 Replies
View Related
Nov 13, 2012
I would like the know if there is a way to know which wireless clients are connected under N mode. There is any kind of command where can show me that ?. I don´t have a wireless controller. My AP is AP-1141N-A-K9
View 2 Replies
View Related
Oct 23, 2012
I am trying to block outbound and inbound traffic on TCP 5222 and 5223 on E2500 but cannot figure out how. The reason is I have kids in my house using KiK (texting app) on iPads, iPods etc. My goal is to eliminate this applications ability to function for ANY wireless device connected to my WLAN.
View 1 Replies
View Related
Oct 21, 2011
I have configured my e4200 to block traffic at certian times uses both the Parental Controls and the Intenet Access Polices. Neither one seems to work though. [code] I have the same MAC addresses specified in each rule. Initally I had only the first two rules. Those didn't work, so I added rule 3 and 4 (they do the same thing as rules 1 and 2 but from the opposite direction). There are no compliaints, but they don't stop any traffic.
I started with the Parental Controls, they didn't work either. The page in there that lets you pick which machines you want to block seemed next to worthless. I have about four rows listed as "Network Device." REALLY LAME! As the MAC addresses are accesible and these weren't working I went to the IAP.
View 5 Replies
View Related
Nov 3, 2012
I need to block the P2P traffic on a Cisco router. How can do it effectively? I configured NBAR on my router but still users can download using the utorrent client.
View 5 Replies
View Related
Apr 22, 2013
where is the best place to block unwanted traffic? By that I mean, should I block it at the router, firewall, IPS? As an example, I'm dealing with DNS flood attacks - probably DDoS and reflection. I have a pair of Cisco 2821 routers with two different ISPs doing BGP. Behind that I have an ASA 5510 with IPS module. Behind that I have 2 public DNS servers. Over the last few days I've seen an increase in bogus DNS queries - high volume, distributed. My question is where is the best place to put the ACL to block them? I've been putting them on the ASA, but when the attack is running, it jacks the CPU to 60%. If I don't put the ACL, the IPS seems to pick them up after a while and the CPU is almost as high as with the ACL. I haven't tried to put the ACL on the routers.
View 2 Replies
View Related
Nov 28, 2012
I have a client with a WLC 2504 that wants to route "guest" users through a gateway appliance "radiusgateway.com" and all others through the network. It appears to me this would require the use of two fa ports on the WLC. One directly connected to the radiusgateway (which is connected to a switchport) and the other fa interface connected directly to a switchport bypassing the proxy server.
My issue is, "how do you segment the ssid traffic via the WLC". The interfaces cia the gui aren't that intelligent, there's an enable and logging drop down. Via the command line, I didn't see any methods of routing traffic.
View 1 Replies
View Related
Aug 16, 2012
Is it possible to block outside P2P traffic on a guest wireless network using an ACL on the controller? I know we can do it our firewall
View 6 Replies
View Related
Jan 28, 2013
I'm using ASA 5515X my concern is I was not able to block the traffic of P2P such as BitTorrent etc. I was also view some technotes on how to use webfilter without using Websense or Smartfilter tools and lucky I'm able to block certain websites. how to block the traffic of P2P?
View 2 Replies
View Related
Jan 10, 2012
Is it possible with a 3560 to block all traffic to a certain vlan except for one or two IP addresses? Create an ACL or something? We have a vlan for voice calls (SIP) and we are getting a lot of scnas that are making the phones ring and such, and I think we can stop this if we only allow traffic onto the vlan from the IP's the SIP traffic is SUPPOSED to be coming from.
View 1 Replies
View Related
Jan 16, 2013
when I run nestat -b command. I always see a lan ip sending TCP traffic to my computer with state syn_receivedProto >> Lan Address >> Foreign Address >> state >> Process idTCP >> (my ip) >> 192.168.2.222(lan ip) >> syn_received >> 4
View 6 Replies
View Related