just a small comment: As far as I understand "AP isolation" doesn't work if you don't have a WLAN controller but do have more than one APs. E.g. in the following setup
ap1--sw1--sw2--ap2
with "AP isolation" turned on, clients associated to ap1 cannot communicate directly with other clients associated to ap1, however they can communicate directly with those associated to ap2. Broadcast from ap1's clients does also get to all clients at ap2.
Hi András,
This is one place where Cisco's "switchport protected" comes in handy.
Yes, but only as long as all APs are connected to the same switch, as I understand. (That's why I put two switches in the example above.)
You can get the same effect with other brands. For example, in one on-the-cheap 5-AP hotspot I did, I vlaned the APs (using an older 802.1q capable switch) back to a Linux bridge with "ebtables --insert FORWARD --jump DROP". The Linux bridge was also the default router out of the wlan, so anything *to* the router worked but anything that would be forwarded was dropped instead. Works great.
Nice, that should do the trick with multiple switches too. Regards, András