Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
392
Views
4
Helpful
8
Replies

Flexconnect + Local switching peer to peer isolation

Zaku1987
Level 1
Level 1

‎12-05-2024 01:27 PM

Greetings, I am looking for some guidance regarding peer to peer isolation using multiple aps with local switching.
I am using a EWC with four APs and am looking to implement some form of peer isolation. I understand that it will work as is for devices on the same AP but not different APs.
Documentation suggests using Flexconnect ACLs, my question is what would such an acl and it's ace look like?

I have tried a couple variations of something like the following below without success;

 

 

Extended IP access list P2P_Blocking

1 permit ip host 10.1.2.1 any log

2 permit ip any host 10.1.2.1 log

3 deny ip 10.1.2.0 0.0.0.255 10.1.2.0 0.0.0.255 log

 

 

 

 

 

0 Helpful
8 Replies 8

Flavio Miranda
VIP
VIP

‎12-05-2024 01:37 PM

@Zaku1987 

 Peer to peer blocking will work for all user under the same WLAN, not AP. If all your user is under the same WLAN, P2P block will work for you.

If you have more than one WLAN you can add the WLC to the Layer3 device that routes your traffic.

0 Helpful

Zaku1987
Level 1
Level 1

‎12-05-2024 01:41 PM

The document does not suggest that?
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Cupertino 17.9.x - Peer-to-Peer Client Support [Cisco Catalyst 9800 Series Wireless Controllers] - Cisco
"FlexConnect central switching clients supports peer-to-peer blocking for clients associated with different APs. However, for FlexConnect local switching, this solution targets only clients connected to the same AP"

Flavio Miranda
VIP
VIP
In response to Zaku1987

‎12-05-2024 01:43 PM

@Zaku1987 

 You are  right.  What I said applies only for Central switching, not local switching, sorry for that.

0 Helpful

Flavio Miranda
VIP
VIP
In response to Zaku1987

‎12-05-2024 01:50 PM

 

 

Extended IP access list P2P_Blocking

1 permit ip host 10.1.2.1 any log

2 permit ip any host 10.1.2.1 log

3 deny ip 10.1.2.0 0.0.0.255 10.1.2.0 0.0.0.255 log

Who is 10.1.2.1? Is it one client?

 

0 Helpful

Haydn Andrews
VIP Alumni
VIP Alumni

‎12-05-2024 03:54 PM

I went through this with Cisco
Following were recommendations on how to achieve this
SDA (No thanks)
MAC ACLs on the switch (No thanks)
Flex ACLs
I believe you ACL is correct if .1 is the default gateway
I believe you may need a permit any any following the deny statement to allow the users to access other resources (subnets)
Also if DHCP/ DNS are in the same VLAN allow them

Suggest testing it in a lab though

*****Help out other by using the rating system and marking answered questions as "Answered"*****
*** Please rate helpful posts ***

RxTx
Level 1
Level 1

‎12-05-2024 11:42 PM

Did you try to enable P2P Blocking Action available for every wifi-SSID config ?

Screenshot_2024-12-06_09-39-59.png

0 Helpful

ammahend
VIP
VIP

‎12-05-2024 11:55 PM

is 10.1.2.1 your gateway ?

did you apply the ACL ?

  1. Log in to the Cisco Wireless LAN Controller (WLC).
  2. Navigate to WLANs > Select the SSID to configure.
  3. Go to the Advanced tab.
  4. Under FlexConnect ACL, select the appropriate ACL
  5. Apply the changes.
-hope this helps-
0 Helpful

Rich R
VIP
VIP

‎12-06-2024 08:18 AM - edited ‎12-06-2024 08:19 AM

You can also achieve the same effect by combining P2P blocking with "switchport protected" on the AP switch ports such that no AP port can talk to any other AP port, only to the uplink or router port.  If and how this is configured depends on your switch topology and connectivity requirements, so can get complicated but worth considering too.
Plenty of guides and videos on how to use this feature if you search.

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960l/software/15-2_7_e/configuration_guide/sec/b_1527e_security_2960l_cg/protected_ports.html

https://networklessons.com/switching/protected-port-cisco-catalyst-switch

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card