What's the best way to prevent inter-station traffic across APs?

  • 2
  • Question
  • Updated 5 years ago
  • Answered
I have a client who wants to stop inter-station traffic across his APs for an entire SSID (VLAN).
Am I correct in that Inter-station traffic filtering also only works on a single AP, not across APs?

The client still needs access to the internet and a few internal services on other VLANs.

Thanks,
Aaron
Photo of Aaron Scott

Aaron Scott

  • 43 Posts
  • 9 Reply Likes

Posted 5 years ago

  • 2
Photo of Andrew MacTaggart

Andrew MacTaggart, Champ

  • 483 Posts
  • 86 Reply Likes
"Disabling inter-station traffic on the SSID won't fully solve this security issue, since broadcast gratuitous ARP frames from an attacker can still poison client and gateway ARP cache. Inter-station traffic filtering also only works on a single AP, not across APs. "

taken from here
http://community.aerohive.com/aerohiv...
Photo of Bill Lundgren

Bill Lundgren, Employee

  • 21 Posts
  • 12 Reply Likes
All you need to do is do two things. 1) Disable the checkbox under Management Settings for "Inter-station traffic" and then 2) create a firewall filter for FROM-ACCESS, and deny the client the ability to get to anything in the wireless subnet. ie, if the wireless subnet is 10.10.10.0/24, then a simple deny from 10.10.10.0/24 to 10.10.10.0/24 should do the trick, both on a single AP, and across AP's. If you want them to be able to ping the default gateway, you could create a rule on top of that deny, that will permit ICMP to the gateway.

Then just make sure the default L3 firewall action in the profile is PERMIT. They should then be able to get anywhere, except station to station traffic on the same subnet.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Bill, that just affects IP traffic at Layer 3 rather than all traffic at Layer 2.
Photo of Aaron Scott

Aaron Scott

  • 43 Posts
  • 9 Reply Likes
Thanks Bill. That's what I thought would need to happen