In almost all Hospitality and public Wi-Fi environments, we want to block peer-to-peer (also known as East-West) traffic. We do this to stop Guests from being able to scan the network and access other Guests’ devices.
Normally, enabling Client Isolation for both Unicast and Multicast is enough, but in some cases Multicast needs to be allowed because the property is running a Chromecast service for their guests. Enabling Multicast Client Isolation will break Chromecast.
If we disable Multicast Client Isolation on a guest network, the network will get flooded with all kinds of mDNS junk traffic and associated ARP requests from all the consumer devices connecting to the network.
This is a packet capture from a real MDU environment, before optimization.
The capture only lasted 2.14 seconds, but it captured 2,123 packets. Out of these, 802 were mDNS packets and 592 were ARP packets! That is more than 50% of packets being transmitted by the AP were not needed.
The solution is to enable Protected Ports on the upstream switches. This is very easy to set up.
Simply add the following command to the port configuration of any ports facing guest devices, in other words Wi-Fi APs and downstream switches. Do NOT apply this to any upstream switches, gateways or any servers which need to be accessed by clients
! THE FOLLOWING INTERFACE IS CONNECTED TO AN AP - PROTECTED PORT IS NEEDED [ALL OTHER DISPLAYED COMMANDS ARE OPTIONAL]
interface ethernet 1/1/1
port-name AP010
**protected-port**
spanning-tree 802-1w admin-edge-port
inline power power-limit 15400
stp-bpdu-guard
!
! THE FOLLOWING INTERFACE IS CONNECTED TO A TV - PROTECTED PORT IS NOT NEEDED
interface ethernet 1/1/2
port-name TV
spanning-tree 802-1w admin-edge-port
inline power power-limit 15400
stp-bpdu-guard
!
As you may have noticed, the command is applied to the port rather than to the VLAN. This means that all traffic between APs is blocked, not just the Guest traffic. This includes any other VLANs used on the AP, including the management VLAN used by the APs to communicate between themselves to coordinate things like 802.11k, Auto Cell Sizing, etc.
To counter this, we would need to configure Proxy-ARP on the topmost switch (usually a core switch).
First, you would need to create a Virtual Ethernet interface (VE) with the ip proxy-arp enable command, then you would assign this VE to the VLAN.
<aside> 🚨 Make sure this switch is powerful enough to handle all traffic expected on that VLAN.
</aside>
<aside> 💡 The ICX switch configured with Proxy ARP needs to be running Router code to support this function
</aside>
vlan 100 name CORPORATE_LAN by port
tagged ethe 1/1/10 to 1/1/20
router-interface ve 100
!
interface ve 100
**ip proxy-arp enable**
!
!
vlan 200 name AP_MANAGEMENT by port
tagged ethe 1/1/10 to 1/1/20
router-interface ve 200
!
interface ve 200
ip local-proxy-arp
Thank you for playing - please call again.
This is an independent blog written and maintained by Andrea Coppini. Any errors and omissions excepted.