[c-nsp] extending PVLAN to wireless?
Ryan O'Connell
ryan at complicity.co.uk
Tue Nov 23 12:01:43 EST 2004
On 23/11/2004 16:37, Bradley Urberg Carlson wrote:
> I have used Private VLAN features to reduce virus activity in
> convention centers, etc. I'd like to add open wireless access to some
> of these areas. Is anyone familiar with an access point which
> supports PVLAN-like end-node isolation, or "secure-ARP", or some other
> method which might either prevent traffic between end-nodes, or else
> force that traffic through a stateful-inspection firewall? Forcing
> users to use a VPN client is not an option, as the hotspot needs to
> appear open. Cost is a factor, so something simple like a "PVLAN
> hotspot" AP would be preferable.
On Cisco AP1100 and AP1200, you can use "bridge-group <group>
port-protected" command to do this.
You'll also need to consider the possibility that if you're using
standard WEP, it's still possible for someone to pretend to be the
access point and send data direct to another device if within range as
they all share the same encryption key. (This isn't a standard feature
of 802.11b, it would need some hacking to make work)
--
Ryan O'Connell - CCIE #8174
<ryan at complicity.co.uk> - http://www.complicity.co.uk
I'm not losing my mind, no I'm not changing my lines,
I'm just learning new things with the passage of time
More information about the cisco-nsp
mailing list