Cisco Wireless :: How To Block P2P Traffic Of Clients Connected To Same SSID On WLC 4400
Feb 2, 2010
I use two wlc 4400 (4.2.x version) with a mobility domain and one ssid, both wlc are connected to a cisco l2 switch infrastructure. On the wlc I use the p2p blocking action 'drop' [URL] to isolate the clients from each other. Does only unicast traffic is blocked or also multicast and broadcast traffic like arp requests?Concerning blocking p2p traffic of clients connected to the same ssid but different controllers I found the following statement in the LAP FAQs [URL]
Q. In autonomous APs, Public Secure Packet Forwarding (PSPF) is used to avoid client devices associated to this AP from inadvertently sharing files with other client devices on the wireless network. Is there any equivalent feature in Lightweight APs?
A. The feature or the mode that performs the similar function of PSPF in lightweight architecture is called peer-to-peer blocking mode. Peer-to-peer blocking mode is actually available with the controllers that manage the LAP. If this mode is disabled on the controller (which is the default setting), it allows the wireless clients to communicate with each other through the controller. If the mode is enabled, it blocks the communication between clients through the controller. It only works among the APs that have joined to the same controller. When enabled, this mode does not block wireless clients terminated on one controller from the ability to get to wireless clients terminated on a different controller, even in the same mobility group.
what's the best practise to prevent this inter wlc client traffic? I already read about using acls on the wlc dynamic interfaces, or private vlans on the l2 switch vlans where the dynamic interfaces are connected to. Is it allowed to completely isolate the wlc from each other on these dynamic interfaces with acls or private vlans or do the wlc need to see each other on this interfaces (e.g. heart beat)?
My controller is vWLC installed in ESXi which has to vNet Cards configured with all vlans(4095), then it is connected to a 3560 switch with trunk. The configuration of the switch interface is as belows: The SSID is BYOD and I can connect the SSID and get the IP address such as 10.10.10.118/24, but for now, i cannot ping 10.10.10.1, but i can ping 10.10.10.90.
What is the best way to isolate hosts on WiFi network managed with 4400 controllers so they only see def gw but not each other, something like "switchport protected" but for WiFi ....
I have a WAP4410n which has been configured with a single SSID since implementation several weeks ago with no issues. I am now trying to add a second SSID and not having any success. Originally the second SSID was not being assigned a MAC address and thus not being broadcasted. After upgrading firmware to 2.0.4.2 I now see a MAC address associated with second SSID and it is being seen by clients, but they still cannot connect. I reset the AP to default settings and reconfigured from scratch but still no luck. I have two of these APs, the other one is still at FW rev 2.0.1.0 and has same issue (it does have MAC address associated with second SSID so I didn't bother upgrading firmware yet).
I have tried a few different authetication options, including disabling authentication, to no avail. Question - I do not see an IP address associated with the second SSID - is that the problem and if so, how do I fix that?
I am administrating a wireless network consisting of 11 APs, ASA 5510, WLC 4402 and Router 1760.The network is sharing an internet connection to all guests without charge so I have no need for authorisation of guests.I would like to implement a splash page that would be shown to all clients when they first connect. The splash page is supposed have only the basic information about the provided service and no logon.Is there a way to do this without purchasing an ACS?
I just got a WAP321 to replace a very frustrating WAP4410, what is the the SNMP OID to obtain associated wireless clients for each of the SSIDs ? I'd be happy with any OID for client numbers so total clients associated will be fine.
Region : Others Model : TL-WR941ND Hardware Version : V3 Firmware Version : 3.13.9 Build 120201 Rel.54965n
We are trying to use a TL-WR941ND purchased about a month ago, but it keeps hanging, usually within a day or so of operation.To be clear: by "hanging" I mean the device stops providing wireless services (its SSID is no longer visible in WiFi clients) and becomes nonresponsive to pings or control access attempts (via settings web page) from the internal network connections.The device is used in a very simple scenario, where it's being employed as a simple access point, not as a router. As such, the device's configuration is as follows:
* WAN interface is configured with a dummy static IP (10.10.10.10/24) with gateway and DNS set to the internal IP address of the actual routing device connected to the external world. * LAN interface is configured with an IP address inside the actual internal IP subnet (192.168.1.0/24). * DHCP is also disabled as this service is already provided. * Wireless settings: radio enabled, SSID broadcast enabled, WDS disabled, 11bgn mixed mode, auto channel width, max TX rate, channel 7 (manually set). Using WPA-PSK security.
Rest of the settings are unchanged from their default values, as the device isn't being used as an IP router by any client - just as a WiFi/Ethernet layer 2 bridge. We're using what appears to be TP-Link's latest stock firmware for the device.The settings described above appear to provide the connectivity required by the WiFi clients. However, the device continuously hangs within a day or so of operation, requiring someone to physically attend to the device and cold-restarting it (disconnecting it from power and reconnecting it) to regain an operational state.
After performing a cold restart, the system log shows nothing beyond the startup entries: "System started" entry followed by security info entries regarding enabled protocols. Then the device appears to work well for a while, until it hangs again, forcing again someone to attend to the device, etc.
I was wondering if it was possible to block imessage to specific clients on the EA6500.These are the ips apple uses for imessage I need to create a firewall rule that blocks these ips from reaching a specific client on the network.
I have a SMTP relay deployed on the DMZ for mailing. I have also a mail servers installed in the internal lan,
I want to allow trafic from dmz to reach internal lan, and i want normally also allow stmp relay from dmz to reach Internet.
How can i block trafic from DMZ to reach Internal Lan (instead of smtp) if the to allow trafic from dmz to internet i must put ANY in the policy?
For allowing trafic from DMZ to reach Internet, the policy must be DMZ -----> ANY ----->Services., this policy means DMZ can implicity reach Internal Lan?
I manage a wireless mesh solution (WLC 4404,4.2.176.51M (Mesh)) with some types of LAP, namelly,LAP1510, AIR-LAP1242AG-E-K9 and AIR-LAP1242G-E-K9.
We also use a freeware solution to have some graphs (collect by SNMP), namely for: Clients per AP, Noise and Interference, Channel Util, etc.
My question is about collect (by SNMP) the traffic (inOctets,outOctets) by access point, to have traffic utilization for both Radio (A and B/G) and ethernet interfaces of each access point... I can't find it on the MIBs... It´s possible?
I have a wireless network with LWAPPs and 1 WLC 5508. How to block communication between SSIDs (clients in different SSIDs bassically) and whether that is even possible from the controller? I'd like to mention that communication between clients whithin the same SSID is already blocked.
I have installed an SR520 with wireless for a client. They have asked if there is an easy way for them to monitor who is connected to the wireless at any given point in time. They are not capable of using the IOS command line.
i have ~ 25 employees which are connected to the AP . I have a 2mb dl and 2mb ul microwave lease line.The AP disconnects ever couple of hours for a minute?
IP addresses of the clients connected to Wireless end points are not getting resolved in LMS 4.2 user tracking ? Whether LMS will resolve IP addresses of the clients connected through Wireless end points ?
Note : Those wireless end points are not monitored by LMS
My question relates to how many clients can be connected to a 2600 series AP. The documentation states 200 clients per radio and the AP has three radios. However when my AP gets to 200 it rejects further clients with the following log: [code] I see this exact message many times and each time the radio mac address is the same and the number of clients connected is 199. The same mac address is used for both 2.4ghz and 5ghz so does this AP have a single logical radio covering both 2.4 and 5ghz frequency ranges and is the limit for all connected clients 200?When viewing the AP details under the Wireless tab it only lists one mac address for each AP for both 2.4ghz and 5ghz frequencies.
I just installed an Aironet 1602i, standalone WAP. I have it configured to use a RADIUS server in our office. However, two issues have come up when trying to get clients connected.
iPhones and iPads won't connect to either the 2.4 or the 5 GHz radios.
No one can connect to the 5 Ghz radio.
Both radios are UP according to the GUI interfaces of the WAP. Also, laptops and android devices are able to connect to the 2.4GHz radio but not the 5 GHz radio.
Recently I have installed and configurated an AP 1260, it has already IP, SSID, and ping to the router, but after install the antenna I open the web configuration and see that it has 0 clients connected and the light is always green, indicated as only is configurated with nobody connected.
Tha radio setting is up, 2,4 Ghz and 5 Ghz any issue with the antenna? or i need to configure anything else?
I would like the know if there is a way to know which wireless clients are connected under N mode. There is any kind of command where can show me that ?. I don´t have a wireless controller. My AP is AP-1141N-A-K9
I am trying to block outbound and inbound traffic on TCP 5222 and 5223 on E2500 but cannot figure out how. The reason is I have kids in my house using KiK (texting app) on iPads, iPods etc. My goal is to eliminate this applications ability to function for ANY wireless device connected to my WLAN.
I have configured my e4200 to block traffic at certian times uses both the Parental Controls and the Intenet Access Polices. Neither one seems to work though. [code] I have the same MAC addresses specified in each rule. Initally I had only the first two rules. Those didn't work, so I added rule 3 and 4 (they do the same thing as rules 1 and 2 but from the opposite direction). There are no compliaints, but they don't stop any traffic.
I started with the Parental Controls, they didn't work either. The page in there that lets you pick which machines you want to block seemed next to worthless. I have about four rows listed as "Network Device." REALLY LAME! As the MAC addresses are accesible and these weren't working I went to the IAP.
I need to block the P2P traffic on a Cisco router. How can do it effectively? I configured NBAR on my router but still users can download using the utorrent client.
where is the best place to block unwanted traffic? By that I mean, should I block it at the router, firewall, IPS? As an example, I'm dealing with DNS flood attacks - probably DDoS and reflection. I have a pair of Cisco 2821 routers with two different ISPs doing BGP. Behind that I have an ASA 5510 with IPS module. Behind that I have 2 public DNS servers. Over the last few days I've seen an increase in bogus DNS queries - high volume, distributed. My question is where is the best place to put the ACL to block them? I've been putting them on the ASA, but when the attack is running, it jacks the CPU to 60%. If I don't put the ACL, the IPS seems to pick them up after a while and the CPU is almost as high as with the ACL. I haven't tried to put the ACL on the routers.
I have a client with a WLC 2504 that wants to route "guest" users through a gateway appliance "radiusgateway.com" and all others through the network. It appears to me this would require the use of two fa ports on the WLC. One directly connected to the radiusgateway (which is connected to a switchport) and the other fa interface connected directly to a switchport bypassing the proxy server.
My issue is, "how do you segment the ssid traffic via the WLC". The interfaces cia the gui aren't that intelligent, there's an enable and logging drop down. Via the command line, I didn't see any methods of routing traffic.
I'm using ASA 5515X my concern is I was not able to block the traffic of P2P such as BitTorrent etc. I was also view some technotes on how to use webfilter without using Websense or Smartfilter tools and lucky I'm able to block certain websites. how to block the traffic of P2P?
Is it possible with a 3560 to block all traffic to a certain vlan except for one or two IP addresses? Create an ACL or something? We have a vlan for voice calls (SIP) and we are getting a lot of scnas that are making the phones ring and such, and I think we can stop this if we only allow traffic onto the vlan from the IP's the SIP traffic is SUPPOSED to be coming from.
when I run nestat -b command. I always see a lan ip sending TCP traffic to my computer with state syn_receivedProto >> Lan Address >> Foreign Address >> state >> Process idTCP >> (my ip) >> 192.168.2.222(lan ip) >> syn_received >> 4
