Apartment block deployment,

  • 0
  • 1
  • Question
  • Updated 3 years ago
  • Answered
  • (Edited)
Hello all

What would be the best way to deploy a wifi solution to a block of 500 residentual apartments with each apartment isolated from the others? The only authentication would be PSK, so I don't think policy won't work. I did think of using multiple controllers with SSID based seperation, but I would need 5 or more C5210 controllers.
Photo of Justsomebodi

Justsomebodi

  • 1,572 Points 1k badge 2x thumb

Posted 3 years ago

  • 0
  • 1
Photo of Gareth Mitchell

Gareth Mitchell, Extreme Escalation Support Engineer

  • 5,476 Points 5k badge 2x thumb
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 45,130 Points 20k badge 2x thumb
Hi J,

if the traffic is passing thru the controller (bridge@EWC and routed topology) just enable "block MU to MU traffic" in the WLAN service in the advanced settings.

If it's bridge@AP just follow the link that Gareth posted for a configuration example.

But the result is that also clients from the same apartment couldn't talk to each other i.e. no streaming from your noetbook to Chromcast via WLAN.

With only PSK and no authentication method policy will not work as there is no way to know whether the client in apartment#1 is connected to the AP in aparment#1 - might be that the signal from AP in apartment#2 is better and he'll connect to this one.


So what we'd do with authentication i.e. EAP-PEAP username/password.
A C5210 supports up to 256 topologies and 1024 roles and you need at least two for redundancy.
Set up a topolgy/VLAN for every apartment and also a role per apartment.
Client#1 of apartment#1 connects to the AP with username/pw and get's the role-apartment#1 back from the NAC (or RADIUS).

In that case you've the apartments isolated but clients from the same apartment could transmit data to each other and you only need a controller pair for it.

-Ron
Photo of Justsomebodi

Justsomebodi

  • 1,572 Points 1k badge 2x thumb
Thanks Guys. Really helpful. As we won't have a radius or NAC, i suspect authenticating as Ron suggested can't be done