More VLANs questions

We have a few AP 5700 with several SMs registered to them, all are running 7.14, my question is if it is possible to separate each SM’s traffic throught the AP configuring the Canopy feature VLAN in each one of them, so if I connect a SM to the same AP there is no way to sniff or “see” the others SM networks. I’ll be glad is you give me som advice or tips are welcome. May be setting up a broadband router in each one SM could be the solution, what router could use? good and cheap?



Yes, you could isolate each SM’s traffic through the AP using VLANs, but you would then need to terminate each VLAN on the other side of the APs and route those tunnels to the Internet or wherever they need to go outside the Canopy network. A low-end Cisco (e.g., 1742) or 3Com router (e.g., 3016), and likely many others, can terminate multiple IEEE 802.1Q VLANs. But more importantly, the VLANs would not make the traffic more secure: if the packets can be sniffed, then the VLAN tags provide no protection for the packet’s data.

There’s no reason, however, to be concerned about a sniffer on the customer’s side of an SM. A Canopy network built using standard APs and SMs – running Canopy software released by Motorola – doesn’t provide the capability of sniffing for packets not intended for receipt by an individual AP or SM. Potentially, code could be written for an SM or AP that does permit it to forward all wireless packets it receives to its Ethernet interface, and on a connected sniffer. I’m not aware, however, that Motorola has released this type of code. A dedicated and ambitious hacker could write the code, but I suspect Canopy networks are not pervasive enough to interest a hacker.

If your customers don’t trust you, they should be creating their own VPN tunnel to wherever they want to go. This is what SSL (Secure Socket Layer) does in a web browser when the URL starts with https://. If they want their traffic to be safe from sniffers when they browse to sites without SSL, or send or receive their email when it travels via SMTP or POP3, then they need to understand that the Internet, by its nature, is insecure. Even if they protect their conversations from you, the organization controlling the wireless network, someone else could still sniff their packets as those packets travel the globe.

Hello Teknix!

Does that mean that I need to connect a VLAN intelligent device (ie., router or a VLAN Enabled Switch) on the AP’s Ethernet Port to segregate traffics of all the SMs?

Thanking You,