Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1138
Views
10
Helpful
5
Replies

Isolate IP connecting through WLAN

Fares7
Level 1
Level 1

‎02-25-2023 11:26 PM

We are having a WLC with access points that is providing WLAN access for users and assigning IPs in the range 192.168.5.0/24.

We need to isolate 192.168.5.10 from communicating with other IPs in the same subnet. 

I know it will be layer 2 communication. so is there a way to isolate this IP without creating another SSID for this user ?

Labels:
0 Helpful
5 Replies 5

Kasun Bandara
VIP
VIP

‎02-26-2023 04:12 AM

check if pear-to-pear blocking is matching for your requirement. 

https://www.kareemccie.com/2018/06/what-is-peer-2-peer-blocking-in-cisco.html

https://community.cisco.com/t5/wireless/private-vlan-in-wireless/td-p/1405388

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

Flavio Miranda
VIP
VIP

‎02-26-2023 04:17 AM - edited ‎02-26-2023 04:18 AM

Hi,

  Under the same SSID what you can do is isolated clients preventing them to communicate with another, but. this will be true for any client under that SSID.  This mean, there will be no communication between clients on that SSID. You can do it by enabling P2P blocking  on the WLAN. As I said, this solution may not help you if you want to isolate only one IP (client).

For WLC AIROS based I dont believe you can solve that.

 For newer WLC like 9800 you have client profiling which could give you more flexibility and ultimately if you have DNAC then you are able to apply micro segmentation at client levels in conjunction with ISE.

ammahend
VIP Alumni
VIP Alumni

‎02-26-2023 04:26 AM

192.168.5.0/24 users are limited to wireless only or extends to wired network also ?

-hope this helps-
0 Helpful

Scott Fella
Hall of Fame
Hall of Fame

‎02-26-2023 06:08 PM - edited ‎02-26-2023 06:48 PM

With not really knowing your setup.  One way you can do this is to use radius like ISE and place that device, mac auth or another type of auth in a different subnet and be done with it.  Create an isolated subnets where you want to place or maybe add future devices to. So depending on how the device authenticates, you can use mab or even 802.1x to place device(s) into another vlan.  If you have DNAc and ISE, you can use SG tagging like @Flavio Miranda mentioned.  Just optiones to think about.

-Scott
*** Please rate helpful posts ***
0 Helpful

S Leigh
Level 1
Level 1

‎02-26-2023 10:31 PM

Hi,
You could always put an access list on the vlan blocking that address as an idea

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card