Restricting access to LAN from WLAN Catalyst 9115 EWC

Teilo2022 · ‎12-23-2022

I have set up two WLANs using four 9115AX AP's.

I have a Staff WLAN which is accessed via a PSK, on the second WLAN I want to restrict access to the LAN and other clients on the LAN and just gives access to outbound traffic, so people on this WLAN can browse the web but not for example access or see our file share server etc on our LAN.

I'm not sure of the "Cisco" terminology but on old Access Point it was something like "Client Isolation" ?

Scott Fella · ‎12-23-2022

Typically if the devices land on different vlans, you would have an access list to do that work or a firewall. If you want to look at acl's from the wireless point of view, then look at this link. I'm assuming you are running EWC:

Cisco Embedded Wireless Controller on Catalyst Access Points Configuration Guide, IOS XE Amsterdam 17.2.x - IPv4 ACLs [Cisco Embedded Wireless Controller on Catalyst Access Points] - Cisco

What was there and still is available is peer to peer blocking, but that is not what you want.

-Scott
*** Please rate helpful posts ***

Teilo2022 · ‎12-23-2022

Hi Scott - Thanks for that very useful - Yes on EWC

Scott Fella · ‎12-23-2022

So your best bet is to use an acl on your L3 switch/router or your firewall. I tend to not use the acl on the controller unless to restrict access to the controller management.

-Scott
*** Please rate helpful posts ***

Teilo2022 · ‎12-29-2022

Is there a specific reason why the ACL shouldn't be done on the controller? I wasn't expecting this to be so complicated when on previous AP's it was a tick in a box.

Rich R · ‎12-30-2022

Peer to peer blocking is still a tick in a box.

@Scott Fella's point is that you should have those WLANs connected to different VLANs to achieve separation rather than using ACLs. You still need to use peer to peer blocking on that WLAN to prevent clients "talking" to each other.
Separate VLANs achieves full layer 2 and IP separation of the clients. Trying to do the same on WLANs when the clients are still in the same VLAN is just messy and imperfect and would never pass a security audit.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

Teilo2022 · ‎01-03-2023

Peer to peer as far as I understand works per VLAN as well; even though you configure it on the WLAN both Guest WLAN and The main WLAN which we want to isolate it from are on the same VLAN. We are provided 2 VLANs from a separate organisation we are tenants to one of which is used for Comms and other for Data.

Rich R · ‎01-03-2023

Take note of the limitations of peer to peer blocking in the context of flexconnect local switching (which is what you're using with EWC) and also that it is not applied to multicast:

https://www.cisco.com/c/en/us/td/docs/wireless/controller/ewc/17-2/config-guide/ewc_cg_17_2/peer_to_peer_client_support.html

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390