SM ISOLATION

jmoore · August 16, 2007, 3:12pm

On the new (8.x) firmware there is a new setting SM Isolation and gives you 3 options. What is everyone setting this to, and what are the disadvantages and advantages.

J

cvs · August 16, 2007, 3:34pm

From page 242 of the manual:

SM Isolation
Prevent or allow SM-to-SM communication by selecting from the following drop-down
menu items:
◦ Disable SM Isolation (the default selection). This allows full communication
between SMs.
◦ Block SM Packets from being forwarded. This prevents both
multicast/broadcast and unicast SM-to-SM communication.
◦ Block and Forward SM Packets to Backbone. This not only prevents
multicast/broadcast and unicast SM-to-SM communication but also sends the
packets, which otherwise would have been handled SM to SM, through the
Ethernet port of the AP.

Since we use NAT and therefore route everything, I don’t see this as critical to us. If however, you are bridging, blocking would prevent the whole scary network neighborhood (or My Network Places <sigh>) thing.

Whether you’d want the forwarding would depend on your specific network and how you wanted to handle SM-SM traffic.

Please be sure to read the manual. You’ll be a better operator for it.

sivanisky · August 16, 2007, 9:40pm

Thanks. I was wondering about that two. Could you explain more? Especially about the third option. Forward packet to backbone. If its blocking packets from SM to SM, what packets are forwarded? Which one would be better on a bridged network and why?

Thank you very much

cvs · August 16, 2007, 10:21pm

The three options basically look like this:

Default (no blocking): Traffic can flow from SM to SM through an AP without any barrier.

Block: No SM to SM traffic is permitted at all. All traffic from an SM to another SM (I assume only on the same AP – can someone verify?) is dropped.

Block and Forward: Instead of packets going from SM to SM within the AP, the packets that would flow from SM to another SM will instead flow out the ethernet port on the AP, allowing filtering/rejection/monitoring/shaping/whatever you want to do with it at the network level on the other side of the AP.

Clear as mud?

sivanisky · August 17, 2007, 2:26pm

cool!

Thanks

overlapme · August 17, 2007, 2:45pm

cvs wrote:

Block: No SM to SM traffic is permitted at all. All traffic from an SM to another SM (I assume only on the same AP -- can someone verify?) is dropped.

yes.

and if you want to block traffic from an SM to a different AP in a cluster you'll have to make use of VLAN settings on the CMM.

(My Network Places <sigh>)

cvs · August 17, 2007, 4:50pm

Thanks, overlapme. I assumed that had to be the case, because the AP’s don’t, as far as I know, communicate. I just had no confirmation or personal experience to back it up. I hate making definitive statements based on assumption.

attitude0330 · August 22, 2007, 8:03am

If you are a WISP & provide service to customers, using both sm to sm isolation & ap tp ap isolation whitch would end up trunking all traffic to a router would help make you CALEA compliant.