P2P is permit all or deny all.

If by any chance the application use some sort of server then you could use  "Forward-UpStream"

and "Allow Private Group", relies on iPSK devices.

As usual the documentation is not great - but as others have hinted the allow-private group options only creates close user groups for users using the same PSK:

https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/config-guide/newconfigmodel/b_catalyst-9800-configuration-model/m_wlans.html

"You can also block the peer-to-peer traffic if any two clients do not share the same pre-shared key (PSK). This is supported on local and flex-connect modes.

Peer-to-peer blocking can be configured at three levels: allow, drop, and pre-shared key.

• Allow-private-group: Enables the blocking of peer-to-peer traffic with the same tag value. If allow-private-group is disabled, then all peer-to-peer traffic with different tag values are dropped."

But that won't actually do what you want anyway.  I think your only way to achieve this will be P2P allowed and with ACLs to control the access but that will probably be far from perfect.  Also watch out for how Chromecast loads up the SSID.

Hi. You are right. This will not work the way i want it too. I'm not able to use iPSK. As i am unable to tag devices. But i've been looking into another workaround. Which is going have to be to solution here, because, lets face it, it's not possible to do what i want in my current network. Which basically is to: Use the network that i have, that has "Drop" in P2P in WLC. But i want them to not drop to only one device, this chromecast device. I tought this was possible trough some way of MAC-address reservation of some kind. But i guess if it says "Drop" it drops all P2P traffic on the network...

So i have come up with two workarounds. And need to know if option 1 is possible, with someones confirmation.

Option 1: My current network that i have i WLC that is set to "Drop". Lets call this SSID: "Network 1". Can i set up a new SSID "Network 2" on the WLC and put the chromecast / IOT devices etc in this network. And from there configure a bridge betweek network 1 and 2. Because the devices on "Network 1" are the ones that need to "cast" to the chromecast which is on "network 2". If you catch my drift.

Option 2: Create a new SSID for Chomecast / IOT devices and use the chromecast in "Guest Mode" which will prob work as its not reliant to be on the same WiFi as the device that "casts" to the chromecast, but is instead reliant on a PIN (4-digit code) to cast.

@Rich R @Flavio Miranda @patoberli 

Let me know if you can think of another workaround.

Brilliant. Thanks for the responses: @JPavonM  @Rich R @Flavio Miranda . I'm going to go for option 2 as this is what its intended for. Due to security reasons, i'm not able try option 1, i cannot have the SSID's in the same VLAN. As much as i would like to try it. This is in a production enviroment, if it would have been a lab, i woudl've tried it. Maybe sometime in the future.

- Kristian