Showing results for 
Search instead for 
Did you mean: 

peer-to-peer blocking / SGT / upstream behavior

Is there a way to take a WLC 5508, enable peer-to-peer blocking functionality and send the traffic up stream to be ran through an ACL and then sent back down to the WLC 5508 back into the same WLAN?  A switch typically won't forward traffic out the port it came in on right?


I know this sounds crazy but I want to use ISE to apply a Security Group Tag to hosts and then use a higher powered switch to filter traffic rather than doing it on the WLC. 


The goal is for hosts on the same WLAN to have or not have access to each other based on Authentication / SGT.  For instance if Joe authenticates all of Joe's device can talk to each other.  If Mary authenticates all of Mary's devices can talk as well.  However, based on security group tagging and SGACLs Mary's devices cannot talk to Joe's. 


Any thoughts?

- Be sure to rate all helpful posts
Stephen Rodriguez
Cisco Employee

under the WLAN config, you can set the Peer to Peer action to disable, drop, or forward upstream.





Please remember to rate useful posts, and mark questions as answered

Thanks for the quick response Steve.  However, I am already aware of that setting.  My question focuses more the the switching that will happen once the traffic is pushed up stream.


"A switch typically won't forward traffic out the port it came in on right?"

This is based on what I have read in the peer-to-peer blocking section of the docs here:

"In controller software releases prior to 4.2, peer-to-peer blocking is applied globally to all clients on all WLANs and causes traffic between two clients on the same VLAN to be transferred to the upstream VLAN rather than being bridged by the controller. This behavior usually results in traffic being dropped at the upstream switch because switches do not forward packets out the same port on which they are received."


- Be sure to rate all helpful posts

To make things work you need to enable 2 commands in the SVI so you can forward traffic in the same interface

There's the two commands must be enable in the SVI
ip local-proxy-arp
ip route-cache same-interface



I have the same Problem with Cisco C9800 Wifi Controller...


How to apply the two commands ... ?

On the Switch ? Or on WLC ?


I use Cisco SG300 Switch and C9800 Wifi Controller with C9120 AP's...


SSID ist Flexconnect Local Switching.


It is possible ?

I don't know if it possible on a SG300 switch but you need to configure this on the SVI of the router that fronting your wlc.

Viten Patel
Cisco Employee

hi, i think the peer-to-peer blocking option forward upstream will achieve this. it ll forward to the default gateway of the vlan where you can apply the ACL.


am not 100% sure about this but you can give it a shot.

Recognize Your Peers
Content for Community-Ad