How to prevent clients connect between SSIDs on the same AP ́s

  • 2
  • Question
  • Updated 2 years ago
I have 2 SSIDs aon 12 AP ́s, one for Teachers the other for Students, both recives DHCP from a Meraki router so clients from both Ssids have the same IP segment, I note students can connect to the Apple Tv, How to prevent this?, I thought because they are on a diffrent Ssid they cant see each other. We want Students cant reach Teachers Ssids clients. 
Photo of Pruebas Irish IIM

Pruebas Irish IIM

  • 2 Posts
  • 0 Reply Likes

Posted 2 years ago

  • 2
Photo of Dawn Douglass

Dawn Douglass

  • 67 Posts
  • 3 Reply Likes
I would create two user profiles; one for students and one or staff.  In the student user profile block communication for air play or to the IP of the Apple TV.  

Furthermore, if you want to completely separate student and staff traffic that would require VLANS instead,

Photo of Brian Powers

Brian Powers, Champ

  • 391 Posts
  • 91 Reply Likes
Second what Dawn said.  Since everything is in the same subnet, it matters not what SSID the users connect to as they'll all be able to communicate with each other.  On the student SSID, you will need to configure a firewall policy on the User Profile to limit their access.
Photo of MikeV


  • 11 Posts
  • 4 Reply Likes
Depending on a combination of models and OS, you may also have to block Bonjour on the student network. 
Photo of J. Goodnough

J. Goodnough, Champ

  • 265 Posts
  • 32 Reply Likes
The SSID is effectively just a passageway onto a given subnet. Since, as you've explained, both SSIDs send traffic to the same subnet, your two user bases reside on the same subnet; you'd need to have them point to different VLANs to get the effect you're looking for. That's a significant network design change and can't just be done at the Aerohive level.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2487 Posts
  • 449 Reply Likes
For your purposes, think of a SSID as being little more than a name, it is entirely decoupled from the Layer 2 broadcast domain that a client ends up in (think VLAN) or what restrictions are placed on the client via a user profile (ACLs, QoS for example).

All your clients are currently ending up in the same Layer 2 broadcast domain.

You shouldn't be using different SSIDs for students and staff, it's bad practice as it is unnecessary and there are overheads for each additional SSID you broadcast.

Only use different SSIDs where you have different authentication methods, e.g. 802.1X or PPSK, or other configuration options that can only be defined against a SSID.
Photo of Pruebas Irish IIM

Pruebas Irish IIM

  • 2 Posts
  • 0 Reply Likes
Thanks for your answers, It was resolved deactivating the "interstation-traffic" in the traffic Filter of the DoS prevention and Filters of the Students SSID. This save me create a Vlan on the Aps, in the Switchs, main router and create a dhcp pool for this vlan.