Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1982
Views
5
Helpful
7
Replies

peer-to-peer blocking / SGT / upstream behavior

schaef350
Level 1
Level 1

‎12-26-2014 07:41 PM - edited ‎07-05-2021 02:11 AM

Is there a way to take a WLC 5508, enable peer-to-peer blocking functionality and send the traffic up stream to be ran through an ACL and then sent back down to the WLC 5508 back into the same WLAN?  A switch typically won't forward traffic out the port it came in on right?

 

I know this sounds crazy but I want to use ISE to apply a Security Group Tag to hosts and then use a higher powered switch to filter traffic rather than doing it on the WLC. 

 

The goal is for hosts on the same WLAN to have or not have access to each other based on Authentication / SGT.  For instance if Joe authenticates all of Joe's device can talk to each other.  If Mary authenticates all of Mary's devices can talk as well.  However, based on security group tagging and SGACLs Mary's devices cannot talk to Joe's. 

 

Any thoughts?

- Be sure to rate all helpful posts
Labels:
0 Helpful
7 Replies 7

Stephen Rodriguez
Cisco Employee
Cisco Employee

‎12-27-2014 06:24 AM

under the WLAN config, you can set the Peer to Peer action to disable, drop, or forward upstream.

 

--

Steve

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered
0 Helpful

schaef350
Level 1
Level 1
In response to Stephen Rodriguez

‎12-27-2014 06:57 AM

Thanks for the quick response Steve.  However, I am already aware of that setting.  My question focuses more the the switching that will happen once the traffic is pushed up stream.

 

"A switch typically won't forward traffic out the port it came in on right?"

This is based on what I have read in the peer-to-peer blocking section of the docs here:

 

http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-0/configuration/guide/c70/c70wlan.html#wp1209597

"In controller software releases prior to 4.2, peer-to-peer blocking is applied globally to all clients on all WLANs and causes traffic between two clients on the same VLAN to be transferred to the upstream VLAN rather than being bridged by the controller. This behavior usually results in traffic being dropped at the upstream switch because switches do not forward packets out the same port on which they are received."

 

- Be sure to rate all helpful posts
0 Helpful

payala
Level 1
Level 1
In response to schaef350

‎03-02-2016 02:54 PM

To make things work you need to enable 2 commands in the SVI so you can forward traffic in the same interface

telematique
Level 1
Level 1
In response to payala

‎06-05-2018 12:59 PM

There's the two commands must be enable in the SVI
ip local-proxy-arp
ip route-cache same-interface
0 Helpful

florian.hanig1
Level 1
Level 1
In response to telematique

‎10-19-2021 12:10 AM

@telematique 

 

I have the same Problem with Cisco C9800 Wifi Controller...

 

How to apply the two commands ... ?

On the Switch ? Or on WLC ?

 

I use Cisco SG300 Switch and C9800 Wifi Controller with C9120 AP's...

 

SSID ist Flexconnect Local Switching.

 

It is possible ?

0 Helpful

telematique
Level 1
Level 1
In response to florian.hanig1

‎10-20-2021 01:30 PM

I don't know if it possible on a SG300 switch but you need to configure this on the SVI of the router that fronting your wlc.

0 Helpful

Viten Patel
Cisco Employee
Cisco Employee

‎01-17-2015 02:28 PM

hi, i think the peer-to-peer blocking option forward upstream will achieve this. it ll forward to the default gateway of the vlan where you can apply the ACL.

 

am not 100% sure about this but you can give it a shot.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card