Layer 2 isolation on wireless controller from USG Flex 500
All Replies
-
Hi @Niels2021
If AP is controlled by ZyWALL series, then there are many different scenarios in L2/L3 communication. So L2 isolation function removed from AP profile.
As your requirement: Wi-Fi client can only access to Internet but is unable to communicate in layer 2 network.
You can configure it to realize your scenario:
(1) Enable Intra-BSS Traffic blocking in AP profile
->Prevents peeping from associated Wi-Fi clients those connected using the same AP and SSID.
(2) Enable L2 isolation on your switch ports those connected to APs.
->Prevent switch replies client MAC address to others AP. So enable L2 isolation on AP connected ports.
0 -
Zyxel_Stanley said:
Hi @Niels2021
If AP is controlled by ZyWALL series, then there are many different scenarios in L2/L3 communication. So L2 isolation function removed from AP profile.
As your requirement: Wi-Fi client can only access to Internet but is unable to communicate in layer 2 network.
You can configure it to realize your scenario:
(1) Enable Intra-BSS Traffic blocking in AP profile
->Prevents peeping from associated Wi-Fi clients those connected using the same AP and SSID.
(2) Enable L2 isolation on your switch ports those connected to APs.
->Prevent switch replies client MAC address to others AP. So enable L2 isolation on AP connected ports.
Hello,Thank you for your response.Intra-BSS Traffic blocking is a begin, but not enough because everyone on another Access Point will still be able to access the client on a different Access Point.Preventing switch replies to other AP's is also not a solution, because the AP's also have an internal SSID where clients are free to communicate with other wireless clients.(for example a mobile phone screencasting over wifi to a laptop)0 -
Hi @Niels2021
You still can achieve your requirement by configure different devices.
(1) On FLEX500, create multiple VLANs for different SSIDs. (e.g. VLAN10/20 are isolate/ VLAN30 non-isolate)
(2) On FLEX500, Enable Intra-BSS Traffic blocking in AP profile those you would like to isolate. (e.g. VLAN10/20)
(3) Enable VLAN isolation those you would like to limit VLAN ID. (some switches support it. e.g. GS1920) Then unlimited VLAN(SSID) clients are free to communicate with other wireless clients.
0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 146 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 262 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight