topic Re: P2P Blocking with ACL in Wireless

P2P Blocking with ACL

Najib Akbari — Tue, 10 Sep 2024 21:06:24 GMT

I am having hard time with this issue going back and forth with TAC.it seems this is not going to work.So i though i paste it here to get more input please. of course there is a lot of various conversation regarding P2P blocking with ACL and here is mine:

C9800 17.9.5 AP 91K - wireless client mode FLex Mode local switching . and since P2P blocking only works with clients on same AP then I am trying to implement it with ACL:

Here is the recent changes I made based on TAC advise and still does not work:

Extended IP access list RES-P2P-BLOCK
10 permit udp any any eq bootpc
20 permit udp any any eq bootps
30 permit ip 172.30.0.0 0.0.255.255 host 172.30.0.1
40 permit ip host 172.30.0.1 172.30.0.0 0.0.255.255
50 deny ip 172.30.0.0 0.0.255.255 172.30.0.0 0.0.255.255
60 permit ip any any

applied the ACL on Flex profile "Policy ACL" tab and "VLAN" tab in both direction vlan 22.

result: it blocks P2P if clients are on the same AP and allows if different APs ( opposite behavior when use P2P drop in WLAN )

Note: Based on TAC and some comments on some post in the communityI did not apply it on Policy profile.

Re: P2P Blocking with ACL

MHM Cisco World — Wed, 11 Sep 2024 14:19:13 GMT

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213945-understand-flexconnect-on-9800-wireless.html#toc-hId-1437898928

check flexcon acl local

MHM

Re: P2P Blocking with ACL

Najib Akbari — Wed, 11 Sep 2024 22:49:25 GMT

Actually initially I followed that Doc and did not work . here is my finding with TAC back and forth today's response :

He said since now ACL works when clients on different APs not same AP then add P2P drop on policy profile to cover that part, basically he says combine ACL with P2P Block and said no other solution available. i responded back and said this defininelty has no login unless its a bug or something because imagine what if later on i want to give access to certain client then guess what happens if they are the same AP?! it will be blocked by P2P drop! then asked him to escalated and he said he will and he will let me know ........

Re: P2P Blocking with ACL

MHM Cisco World — Thu, 12 Sep 2024 04:37:16 GMT

90% of solution know what is not work

Client to client in same WLAN in same AP

Client to client in differ WLAN in same AP

Client to client in same WLAN in differ AP

Client to client in differ WLAN in differ AP

MHM

Re: P2P Blocking with ACL

Najib Akbari — Thu, 12 Sep 2024 18:37:25 GMT

here is the summary of my interaction with TAC on this for the community to see:

- on Flex Mode Local switching P2P Blocking only works when clients are on same AP ( Applied on SSID
P2P Blocking Action - > Drop )
- for the above limitation the work around is ACL applied on Flex Profile "Policy ACL" and "VLAN" Tab ( and not policy profile access policies tab)
- so for the end 2 end P2P communication to be blocked both ACL and "P2P Blocking Action - > Drop" are required

I told TAC this is not an acceptable solution, it does not work for me and it does not scale. for example if later on I want specific client to be able to communicate with another specific client and allowed on ACL ACE then if both are on same AP then not feasible and being blocked! TAC escalated and came back and said that is the limitation and might change in future......

Note: all this notes are based on TAC advice and Im not sure of its accuracy