[c-nsp] extending PVLAN to wireless?

Ryan O'Connell ryan at complicity.co.uk
Tue Nov 23 12:01:43 EST 2004


On 23/11/2004 16:37, Bradley Urberg Carlson wrote:

> I have used Private VLAN features to reduce virus activity in 
> convention centers, etc.  I'd like to add open wireless access to some 
> of these areas.  Is anyone familiar with an access point which 
> supports PVLAN-like end-node isolation, or "secure-ARP", or some other 
> method which might either prevent traffic between end-nodes, or else 
> force that traffic through a stateful-inspection firewall?  Forcing 
> users to use a VPN client is not an option, as the hotspot needs to 
> appear open.  Cost is a factor, so something simple like a "PVLAN 
> hotspot" AP would be preferable.


On Cisco AP1100 and AP1200, you can use "bridge-group <group> 
port-protected" command to do this.

You'll also need to consider the possibility that if you're using 
standard WEP, it's still possible for someone to pretend to be the 
access point and send data direct to another device if within range as 
they all share the same encryption key. (This isn't a standard feature 
of 802.11b, it would need some hacking to make work)

-- 
         Ryan O'Connell - CCIE #8174
<ryan at complicity.co.uk> - http://www.complicity.co.uk

I'm not losing my mind, no I'm not changing my lines,
I'm just learning new things with the passage of time



More information about the cisco-nsp mailing list