Is it possible to apply an East-West ACL on clients joining a specific WLAN? If so, what is the best way to go about that? We have a few public WLANs that we would like to implement peer-to-peer ACLs on for protection/inoculation from potentially infected devices.
If AP's in Local Mode - Block P2P in WLAN, and use a VACL in upstream device where WLC is connected.
if AP's in Flex mode - Block P2P in WLAN and apply VACL as required in the upstream devices. read the documentation related to the platform and the code running in your production as there certain limitations of P2P when AP's in Flex mode.
Another option is Per User ACL's using Radius server, this will give you more granular control on what you want to acheive. However you have the option of deploying an post-auth acl if you have LWA or EWA.
For East-West the better option is apply P2P blocking. However, this is not conditional. Once enable, no traffic will travel East-West inside the same WLAN.
If you wan to filter some ports only, I dont believe is possible on the same wlan.
If AP's in Local Mode - Block P2P in WLAN, and use a VACL in upstream device where WLC is connected.
if AP's in Flex mode - Block P2P in WLAN and apply VACL as required in the upstream devices. read the documentation related to the platform and the code running in your production as there certain limitations of P2P when AP's in Flex mode.
Another option is Per User ACL's using Radius server, this will give you more granular control on what you want to acheive. However you have the option of deploying an post-auth acl if you have LWA or EWA.
Thanks for the helpful feedback, this confirms what we suspected. We are currently using RADIUS for our per-user ACLs in some of the WLANS and were just wondering if it were possible to do the guest WLANs without RADIUS but it sounds like RADIUS is the right way to go moving forward.
Learn, share, save
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
