@Rich R - thanks for clarifying that. Does P2P blocking work across the same WLAN across different WLCs if they are in a mobility group? I assume it would not work if they are not in a mobility group.

Believe me using ACL to deny wifi client to connect to other wifi subnet is more more better than use p2p

P2p as I mention have many types and there are many restrictions.

Disable it that my recommend

MHM

@MHM Cisco World how would you configure an ACL to prevent p2p connection between clients on the same WLAN on the same subnet and at layer 2?  While technically possible with very complex MAC and IP ACLs (where supported) this solution would not be very effective or scalable (for example multicast packets used by Bonjour are often not covered by MAC ACLs).

When Meraki first came out it did not support p2p blocking and it was necessary to use ACLs on the APs to achieve some level of p2p blocking - been there, done that - and it's not a neat solution.  The feature was added because numerous customers (like us) needed the p2p blocking feature.  You might not need it in your networks but it is mandatory in some networks.

p2p is not even relevant or an option when clients are in different subnets - because they're not peers.  In that case ACL to control layer 3 traffic between subnets is the appropriate solution but would not be called p2p blocking in the context of WiFi.

I would expect not @eglinsky2012 but it would also depend on what mobility is in play because with a layer 3 roam the client connection could still be to the other WLC via the mobility tunnel.

from cisco doc. 
there are many restrictions as I mention before, you can use it If it mandatory but if you not I recommend keep default (disble) 

Restrictions

• Peer-to-peer blocking does not apply to multicast traffic.

• Peer-to-peer blocking is not enabled by default.

• In FlexConnect, peer-to-peer blocking configuration cannot be applied only to a particular FlexConnect AP or a subset of APs. It is applied to all the FlexConnect APs that broadcast the SSID.

• FlexConnect central switching clients supports peer-to-peer upstream-forward. However, this is not supported in the FlexConnect local switching. This is treated as peer-to-peer drop and client packets are dropped.

  FlexConnect central switching clients supports peer-to-peer blocking for clients associated with different APs. However, for FlexConnect local switching, this solution targets only clients connected to the same AP. FlexConnect ACLs can be used as a workaround for this limitation.

I made very clear in my first reply that I was referring to the CENTRAL SWITCHING use case.
Yes, with local switching there are many caveats and the decision to use p2p blocking will depend on the use case and taking those caveats into consideration - I've never disagreed with that.

My point is that p2p blocking works really well for most peer to peer traffic on a centrally switched WLAN and for certain use cases it is essential/required as a fundamental security measure.  That doesn't mean we don't also use other security measures (like ACLs) which are still required, but those ACLs are much simpler and generic when p2p blocking blocks most of the possible p2p connections as early as possible.

Totally true.

MHM

Thank you for the detail explanation and correction Rich, yes my response was not 100% accurate and mostly applicable for Flex Local switch scenario.