1. Documentation
  3. Wireless
  5. Configuration
  7. WLAN Configuration
  9. Isolation and Filtering

Isolation and Filtering

Modified on

Mist APs supports the below peer to peer (layer 2) isolation options.
• Disabled – no peer-to-peer block enabled. Default behavior.
• Same AP – This blocks peer to peer traffic on the same AP
• Same Subnet – This blocks peer to peer traffic destined for the same subnet (wired and wireless). Please note clients should have DHCP addresses. This option requires 0.12 firmware or newer.

WxLAN policies need to be created under WLAN templates or Site > Policies for blocking layer 3 traffic. Access Controls lists from other vendors can be used to create WxLAN policies to achieve similar results.

 

Filtering
Mist APs by default support Proxy ARP. Mist APs on seeing an ARP request for a connected client, instead of forwarding the packet over the air, sends an ARP response on behalf of the client and respond to the wired network.

Please note: It is recommend to enable the ARP and Broadcast/Multicast filters except for when specific use cases dictate disabling them or allowing MDNS, SSDP, or IPv6.  Disabling the filters or allowing MDNS, SSDP, and IPv6 can introduce performance issues on the network, especially in large environments.

  • ARP Filter: When ARP filter is enabled, we block all ARP broadcast requests from going to the specified wireless Interface. When ARP filter Is disabled, Proxy ARP will try to resolve the Ethernet address of requests, and if not known, will flood the original request to any Interface not being ARP filtered.
  • Broadcast / Multicast Filter: When enabled, this filter will BLOCK ALL broadcasts and Multicast packets on a specified Interface, except: a) ARP’s (thats handled above) b) DHCP broadcast transactions. c) IPv6 Neighbor discovery frames. (ICMPv6). All other broadcasts will we blocked, including IPv6 broadcasts / multi-casts, and ALL MDNS frames. (IPv4 & IPv6)
    • Allow MDNS Checkbox: This option ONLY has any effect when #2 (the Broadcast / Multicast filter is ENABLED). When selected, this option will ALLOW mDNS packets to transmitted through the specified interface. This includes IPv4 and IPv6 mDNS. If not selected, then the Broadcast/Multicast filter will treat mDNS frames just like any other broadcast/multicast frame and block them.
    • Allow SSDP Checkbox: This option ONLY has any effect when #2 (the Broadcast / Multicast filter is ENABLED). When selected, this option will ALLOW SSDP packets to be transmitted through the specified interface. This includes IPv4 and IPv6 SSDP. If not selected, then the Broadcast/Multicast filter will treat SSDP frames just like any other broadcast/multicast frame and block them.

Apple Bonjour uses MDNS for their network discovery and might be a broadcast you want to be sent.

DTIM Settings

DTIM – a period of 2 beacons is normal, this can be increased for power sensitive clients.

For enabling DTIM option in the WLAN config, please open a support ticket requesting for “legacy-encryption” tag.