Higher Education

Reply
This is an open group. Sign in and click the "Join Group" button to become a group member and start posting.
Highlighted
Occasional Contributor II

Wireless Client Isolation

I'm interested in exploring the repercussions of turning *off* wireless client isolation and I'm curious to know other peoples' experiences.  We have been getting more requests/complaints that one wireless device can't communicate with another wireless device.  

 

We currently have ~2k APs with approximately 10k users per day.  These devices are load balanced in a VLAN pool of 10 /22 networks.  I fear that turning off isolation will unload a slew of broadcast traffic on our APs and measurably degrade performace.  

 

Specific Questions:

Has anyone in a large network turned off client isolation? To what effect?

Is there a way to limit broadcast traffic? (to just ARP I guess, is there other broadcast traffic necessary?)

Can anyone think about a reasonable way to test this change without swamping the entire network?

Is there another solution to the problem I haven't thought of?

 

14 REPLIES
Guru Elite

Re: Wireless Client Isolation

If this is a controller, enabling Broadcast filter All  (block Broadcasts and Unknown multicast) on your Virtual APs will suppress all broadcasts.  Enabling Deny inter user bridging will not suppress all broadcasts.

 

Deny inter user is probably what is blocking your clients connectivity to each other....



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II

Re: Wireless Client Isolation

You misunderstand.  I know that wireless client isolation is on and I know how to turn it off.  I am asking how do I turn it off without melting my network.  10k devices broadcasts for who-knows-what reasons is a lot of traffic to bounce around the air.

Guru Elite

Re: Wireless Client Isolation

You are right.  I don't understand.  

 

I will say that there are many people running large networks without client isolation enabled.  Client isolation cannot block clients sending out a broadcast.  It can only block clients attempting to unicast traffic to each other.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I

Re: Wireless Client Isolation

You do not understand.

Small vlans in a pool used to be the best way to control broadcast traffic. the "drop broadcast & multicast" option is not the best way.

We do not do client isolation and have clients on /16 networks with no broadcast issues.

Try it, you'll like it! :D

 

Bruce Osborne - Wireless Engineer
ACCP, ACMP
Frequent Contributor I

Re: Wireless Client Isolation

IMO client isolation does provide some good protection for recent security related events like the WannaCry ransomware attack.  Otherwise you could setup ACLs to provide some additional protections on some high risk ports, etc between wifi clients and disable client isolation.

 

Personally in my environment I like the added protection of isolation and we clearly state this in our AUP.

Super Contributor I

Re: Wireless Client Isolation

You can turn off just broadcasts/multicast without hurting ARP.  We've been running with this on all vlans for forever with big flat VLANs.

 

vlan XXX

   ip local-proxy-arp
   bcmc-optimization

 

wlan virtual-ap XXX

   broadcast-filter all

 

Then look into AirGroup if the users want to discover their gadgets.  ISTR setting an option that allows same-username devices to multicast to each other is dead simple and doesn't get into the weeds at all.  Then you can work up from there, being careful not to let the punk in the next room over screenshare offensive material to someone's unsecured TV just because he's on the same AP.

 

New Member

Re: Wireless Client Isolation

And to further the point, Aruba has been recommending a single vlan, no matter the size, with the settings configured the way bjulin posted about, for the past few years.  The reason being, vlans do not limit broadcast traffic on the wireless side the way that they limit it on the wired side.  If a single client is connected to an AP from VLAN 100, that AP will broadcast that to all clients connected to the AP, regardless of the VLAN that they are on.  However, if you make the optimizations that are recommended, then of course that behavior will not occur.

 

If I am mistaken with this information, please let me know.

Frequent Contributor I

Re: Wireless Client Isolation


pmauretti wrote:

And to further the point, Aruba has been recommending a single vlan, no matter the size, with the settings configured the way bjulin posted about, for the past few years.  The reason being, vlans do not limit broadcast traffic on the wireless side the way that they limit it on the wired side.  If a single client is connected to an AP from VLAN 100, that AP will broadcast that to all clients connected to the AP, regardless of the VLAN that they are on.  However, if you make the optimizations that are recommended, then of course that behavior will not occur.

 

If I am mistaken with this information, please let me know.



You are mistaken.

The reason Aruba first introduced vlan pools was to reduce broadcast traffic. That is handles much better now with the "drop broadcast and multicast" settings.

Bruce Osborne - Wireless Engineer
ACCP, ACMP
Super Contributor I

Re: Wireless Client Isolation

Well, the real reason to do it is to intentionally break all the living-room-ware before it can cause problems.  Not having your network drown in a sea of discovery protrocols is just a side-benefit :-)

 

But to put a less cynical, technically pretty spin on it: First you make your network a NBMA topology.  Then, if you want, use AirGroup to introduce BC/MC domain that is completely decoupled from the legacy IP netmask.

 

VLAN pools probably still useful if you can't come up with consecutive IP addresses.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: