topic under the WLAN config, you in Wireless

peer-to-peer blocking / SGT / upstream behavior

schaef350 — Mon, 05 Jul 2021 09:11:17 GMT

Is there a way to take a WLC 5508, enable peer-to-peer blocking functionality and send the traffic up stream to be ran through an ACL and then sent back down to the WLC 5508 back into the same WLAN? A switch typically won't forward traffic out the port it came in on right?

I know this sounds crazy but I want to use ISE to apply a Security Group Tag to hosts and then use a higher powered switch to filter traffic rather than doing it on the WLC.

The goal is for hosts on the same WLAN to have or not have access to each other based on Authentication / SGT. For instance if Joe authenticates all of Joe's device can talk to each other. If Mary authenticates all of Mary's devices can talk as well. However, based on security group tagging and SGACLs Mary's devices cannot talk to Joe's.

Any thoughts?

under the WLAN config, you

Stephen Rodriguez — Sat, 27 Dec 2014 14:24:31 GMT

under the WLAN config, you can set the Peer to Peer action to disable, drop, or forward upstream.

Steve

Thanks for the quick response

schaef350 — Sat, 27 Dec 2014 14:57:55 GMT

Thanks for the quick response Steve. However, I am already aware of that setting. My question focuses more the the switching that will happen once the traffic is pushed up stream.

"A switch typically won't forward traffic out the port it came in on right?"

This is based on what I have read in the peer-to-peer blocking section of the docs here:

http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-0/configuration/guide/c70/c70wlan.html#wp1209597

"In controller software releases prior to 4.2, peer-to-peer blocking is applied globally to all clients on all WLANs and causes traffic between two clients on the same VLAN to be transferred to the upstream VLAN rather than being bridged by the controller. This behavior usually results in traffic being dropped at the upstream switch because switches do not forward packets out the same port on which they are received."

hi, i think the peer-to-peer

Viten Patel — Sat, 17 Jan 2015 22:28:13 GMT

hi, i think the peer-to-peer blocking option forward upstream will achieve this. it ll forward to the default gateway of the vlan where you can apply the ACL.

am not 100% sure about this but you can give it a shot.

Hey have you figure it out

payala — Wed, 02 Mar 2016 22:54:31 GMT

To make things work you need to enable 2 commands in the SVI so you can forward traffic in the same interface

Re: Hey have you figure it out

telematique — Tue, 05 Jun 2018 19:59:06 GMT

There's the two commands must be enable in the SVI
ip local-proxy-arp
ip route-cache same-interface

Re: Hey have you figure it out

florian.hanig1 — Tue, 19 Oct 2021 07:10:08 GMT

@telematique

I have the same Problem with Cisco C9800 Wifi Controller...

How to apply the two commands ... ?

On the Switch ? Or on WLC ?

I use Cisco SG300 Switch and C9800 Wifi Controller with C9120 AP's...

SSID ist Flexconnect Local Switching.

It is possible ?

Re: Hey have you figure it out

telematique — Wed, 20 Oct 2021 20:30:33 GMT

I don't know if it possible on a SG300 switch but you need to configure this on the SVI of the router that fronting your wlc.