Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
367
Views
5
Helpful
2
Replies

iPSK anchor/Foreign east west traffic & P2P

Go to solution
craiglebutt
Level 4
Level 4

‎03-04-2021 12:18 AM - edited ‎07-05-2021 01:19 PM

we have a requirement to allow non corporate devices straight out to the internet, this is to do with ISO27001.

 

So have started  to create iPSKs from internal to DMZ no problem, just time consuming creating DNS,DHCP, Zones ect on Firewall and then replicating to secondary links.

So plan is to have a generic iPSK instead of creating /29.

 

Issue is the east west traffic, even though it is not the company's data we still have to make secure till it gets to the internet.

 

With this in mind was looking at enabling P2P, If I've got this right should block the devices seeing each other on a /25 subnet if on the same WLC.  Is this the case with Anchor/Foreign WLCs as well?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Scott Fella
Hall of Fame
Hall of Fame

‎03-04-2021 04:49 AM

Make sure you understand the risk or what can happen. If you upgrade for example and the config changes and disabled p2p or there is a bug that the feature doesn’t block 100%, are you okay with that? If so, then test and validate that p2p blocking is working in your environment using multiple aps. What happens when you add another controller? You now have a risk of an ap moving to the other controller which p2p will not block. It seems like you are designing a workaround solution using a single ssid and that is okay, just understand the risk and or understand if there is a better way like a new ssid just for that.
-Scott
*** Please rate helpful posts ***

View solution in original post

2 Replies 2

Go to solution
Scott Fella
Hall of Fame
Hall of Fame

‎03-04-2021 04:49 AM

Make sure you understand the risk or what can happen. If you upgrade for example and the config changes and disabled p2p or there is a bug that the feature doesn’t block 100%, are you okay with that? If so, then test and validate that p2p blocking is working in your environment using multiple aps. What happens when you add another controller? You now have a risk of an ap moving to the other controller which p2p will not block. It seems like you are designing a workaround solution using a single ssid and that is okay, just understand the risk and or understand if there is a better way like a new ssid just for that.
-Scott
*** Please rate helpful posts ***

Go to solution
craiglebutt
Level 4
Level 4
In response to Scott Fella

‎03-04-2021 05:08 AM

Cheers for that

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card