howto block p2p traffic of clients connected to the same ssid on - Page 2

thorsten.steffen · ‎02-03-2010

Hi all,

I use two wlc 4400 (4.2.x version) with a mobility domain and one ssid, both wlc are connected to a cisco l2 switch infrastructure. On the wlc I use the p2p blocking action 'drop' (http://www.cisco.com/en/US/docs/wireless/controller/5.2/configuration/guide/c52wlan.html#wp1209597) to isolate the clients from each other. Does anybody know if only unicast traffic is blocked or also multicast and broadcast traffic like arp requests?

Concerning blocking p2p traffic of clients connected to the same ssid but different controllers I found the following statement in the LAP FAQs (http://www.cisco.com/en/US/products/hw/wireless/ps430/products_qanda_item09186a00806a4da3.shtml):

===

Q. In autonomous APs, Public Secure Packet Forwarding (PSPF) is used to avoid client devices associated to this AP from inadvertently sharing files with other client devices on the wireless network. Is there any equivalent feature in Lightweight APs?

A. The feature or the mode that performs the similar function of PSPF in lightweight architecture is called peer-to-peer blocking mode. Peer-to-peer blocking mode is actually available with the controllers that manage the LAP. If this mode is disabled on the controller (which is the default setting), it allows the wireless clients to communicate with each other through the controller. If the mode is enabled, it blocks the communication between clients through the controller. It only works among the APs that have joined to the same controller. When enabled, this mode does not block wireless clients terminated on one controller from the ability to get to wireless clients terminated on a different controller, even in the same mobility group.

===

Does anybody know what's the best practise to prevent this inter wlc client traffic? I already read about using acls on the wlc dynamic interfaces, or private vlans on the l2 switch vlans where the dynamic interfaces are connected to. Is it allowed to completely isolate the wlc from each other on these dynamic interfaces with acls or private vlans or do the wlc need to see each other on this interfaces (e.g. heart beat)?

Many thanks in advance,

Thorsten

pzpgd1mlf · ‎09-02-2012

Hello there, did we ever got an answer on this? Still wondering if private vlan is the way to go or perhaps protected ports, which may not bring scalability in a large wireless network.

Michael Burk · ‎01-10-2013

I too would like to know if a best practice has ever been discovered for this.

I have a site that has 550 APs with 4 x 5508 so I have use multiple controllers at this site.

Thanks in advance.

thorsten.steffen · ‎01-10-2013

We're still using acls on the dynamic interfaces, not nice but it's working fine in our environment (6 wlc).

Best Regards

Thorsten

Michael Burk · ‎01-11-2013

Very good, can you provide some sample ACL lines so we can see how that would look?

In my case the controllers are connected via Layer2 and I'm not sure the L2 traffic of a client on Controller1 would hit the SVI before being switched to a given client on Controller2.

thorsten.steffen · ‎01-14-2013

config example on wlc44xx:

wlan client net: 10.1.1.0 /24, default gateway 10.1.1.10 (dedicated router in our case)

acl rules:

1. 10.1.1.0 /24 -> 10.1.1.10: Permit
2. 10.1.1.10 -> 10.1.1.0 /24: Permit
3. 10.1.1.0 /24 -> 10.1.1.0 /24: Deny
4. 10.1.1.0 /24 -> 0.0.0.0 /0: Permit
5. 0.0.0.0 /0 -> 10.1.1.0 /24: Permit

in short words: Allow Traffic to/from default gateway + deny traffic inside the net + allow traffic to/from rest

howto block p2p traffic of clients connected to the same ssid on different wlc