09-10-2024 02:06 PM
I am having hard time with this issue going back and forth with TAC.it seems this is not going to work.So i though i paste it here to get more input please. of course there is a lot of various conversation regarding P2P blocking with ACL and here is mine:
C9800 17.9.5 AP 91K - wireless client mode FLex Mode local switching . and since P2P blocking only works with clients on same AP then I am trying to implement it with ACL:
Here is the recent changes I made based on TAC advise and still does not work:
Extended IP access list RES-P2P-BLOCK
10 permit udp any any eq bootpc
20 permit udp any any eq bootps
30 permit ip 172.30.0.0 0.0.255.255 host 172.30.0.1
40 permit ip host 172.30.0.1 172.30.0.0 0.0.255.255
50 deny ip 172.30.0.0 0.0.255.255 172.30.0.0 0.0.255.255
60 permit ip any any
applied the ACL on Flex profile "Policy ACL" tab and "VLAN" tab in both direction vlan 22.
result: it blocks P2P if clients are on the same AP and allows if different APs ( opposite behavior when use P2P drop in WLAN )
Note: Based on TAC and some comments on some post in the communityI did not apply it on Policy profile.
09-11-2024 07:12 AM - edited 09-11-2024 07:19 AM
09-11-2024 03:49 PM
Actually initially I followed that Doc and did not work . here is my finding with TAC back and forth today's response :
He said since now ACL works when clients on different APs not same AP then add P2P drop on policy profile to cover that part, basically he says combine ACL with P2P Block and said no other solution available. i responded back and said this defininelty has no login unless its a bug or something because imagine what if later on i want to give access to certain client then guess what happens if they are the same AP?! it will be blocked by P2P drop! then asked him to escalated and he said he will and he will let me know ........
in
09-11-2024 09:37 PM
90% of solution know what is not work
Client to client in same WLAN in same AP
Client to client in differ WLAN in same AP
Client to client in same WLAN in differ AP
Client to client in differ WLAN in differ AP
MHM
09-12-2024 11:37 AM
here is the summary of my interaction with TAC on this for the community to see:
- on Flex Mode Local switching P2P Blocking only works when clients are on same AP ( Applied on SSID
P2P Blocking Action - > Drop )
- for the above limitation the work around is ACL applied on Flex Profile "Policy ACL" and "VLAN" Tab ( and not policy profile access policies tab)
- so for the end 2 end P2P communication to be blocked both ACL and "P2P Blocking Action - > Drop" are required
I told TAC this is not an acceptable solution, it does not work for me and it does not scale. for example if later on I want specific client to be able to communicate with another specific client and allowed on ACL ACE then if both are on same AP then not feasible and being blocked! TAC escalated and came back and said that is the limitation and might change in future......
Note: all this notes are based on TAC advice and Im not sure of its accuracy
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide