12-26-2014 07:41 PM - edited 07-05-2021 02:11 AM
Is there a way to take a WLC 5508, enable peer-to-peer blocking functionality and send the traffic up stream to be ran through an ACL and then sent back down to the WLC 5508 back into the same WLAN? A switch typically won't forward traffic out the port it came in on right?
I know this sounds crazy but I want to use ISE to apply a Security Group Tag to hosts and then use a higher powered switch to filter traffic rather than doing it on the WLC.
The goal is for hosts on the same WLAN to have or not have access to each other based on Authentication / SGT. For instance if Joe authenticates all of Joe's device can talk to each other. If Mary authenticates all of Mary's devices can talk as well. However, based on security group tagging and SGACLs Mary's devices cannot talk to Joe's.
Any thoughts?
12-27-2014 06:24 AM
under the WLAN config, you can set the Peer to Peer action to disable, drop, or forward upstream.
--
Steve
12-27-2014 06:57 AM
Thanks for the quick response Steve. However, I am already aware of that setting. My question focuses more the the switching that will happen once the traffic is pushed up stream.
"A switch typically won't forward traffic out the port it came in on right?"
This is based on what I have read in the peer-to-peer blocking section of the docs here:
http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-0/configuration/guide/c70/c70wlan.html#wp1209597
"In controller software releases prior to 4.2, peer-to-peer blocking is applied globally to all clients on all WLANs and causes traffic between two clients on the same VLAN to be transferred to the upstream VLAN rather than being bridged by the controller. This behavior usually results in traffic being dropped at the upstream switch because switches do not forward packets out the same port on which they are received."
03-02-2016 02:54 PM
To make things work you need to enable 2 commands in the SVI so you can forward traffic in the same interface
06-05-2018 12:59 PM
10-19-2021 12:10 AM
I have the same Problem with Cisco C9800 Wifi Controller...
How to apply the two commands ... ?
On the Switch ? Or on WLC ?
I use Cisco SG300 Switch and C9800 Wifi Controller with C9120 AP's...
SSID ist Flexconnect Local Switching.
It is possible ?
10-20-2021 01:30 PM
I don't know if it possible on a SG300 switch but you need to configure this on the SVI of the router that fronting your wlc.
01-17-2015 02:28 PM
hi, i think the peer-to-peer blocking option forward upstream will achieve this. it ll forward to the default gateway of the vlan where you can apply the ACL.
am not 100% sure about this but you can give it a shot.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide