Summary

Question

Customer Environment

Root Cause

Troubleshooting Steps

Wireless Client Isolation Overview

Wireless client isolation is a network security feature that restricts direct communication between devices connected to the same WLAN, while still allowing access to external resources, such as gateways and the internet. This feature is particularly beneficial for guest networks, where isolation is required to protect network security, yet internet access is still necessary. Additionally, wireless client isolation can be configured to manage traffic types, offering a balance between maintaining isolation and ensuring functional network connectivity.

I will proceed with the configuration by navigating to the Wireless Client Isolation section within the WLAN settings. Once there, I will enable the feature. By default, this setting isolates unicast packets, meaning that any traffic destined for a specific client MAC address will be isolated. However, multicast and broadcast traffic are not isolated by default. If desired, these can also be isolated by modifying the appropriate settings. Additionally, support for Virtual Router Redundancy Protocol (VRRP) or Hot Standby Router Protocol (HSRP) can be enabled, should these protocols be in use in the network environment.

The isolation whitelist feature enables you to add specific devices to an exception list, allowing them to bypass isolation. For instance, if you have a printer that you want all users to access, you can add it to the whitelist, ensuring it remains accessible to all clients. Additionally, by selecting the Auto Whitelist option, the system will automatically detect gateway information and add it to the whitelist. This ensures that the gateway remains accessible without manual configuration.

Wired Client Isolation is a feature designed for access points (APs) equipped with multiple Ethernet ports, commonly found in environments such as hotel rooms. For instance, if an AP has four Ethernet ports and you wish to allow users to connect through these ports, but without enabling communication between them (similar to the functionality of wireless client isolation), you can enable wired client isolation. This feature ensures that devices connected via Ethernet ports can access the network while remaining isolated from each other, thereby preserving network security and maintaining privacy for each connected user.

Create a new profile and name it "Wired Isolation." Scroll down to the Wired Client Isolation section, where it is disabled by default. To enable it, simply toggle the setting to "On." You will then be notified that an AP reboot is required. After confirming the change, the same configuration options will be available, including client isolation for unicast, multicast, and broadcast traffic, as well as support for VRRP and gateway information.

At the zone level, I can edit the zone settings and access the AP configuration profiles for specific devices. By clicking the pencil icon, I can navigate to the AP model-specific configuration. Here, I can select a device with multiple ports, such as the 550 model, which has four LAN ports. If I want one of these ports to participate in wired isolation, I would click the dropdown menu and select the "Wired Isolation" port profile that I previously created. This would ensure that the specific LAN port, such as LAN 2, is isolated in the same manner as the wireless clients.

Resolution