Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
5029
Views
5
Helpful
4
Replies

P2P Blocking Action behavior

mpitts
Level 1
Level 1

ā€Ž03-07-2017 04:02 PM - edited ā€Ž07-05-2021 06:40 AM

Hello!

I am looking to isolate client traffic for a certain WLAN. I want to deny traffic from clients on the same WLAN, across all APs.

Can anyone explain how p2p blocking action works? Are there any considerations? Please let me know if you need more information,

WLC2504 - FW version 7.6.120.0

Thanks!

Labels:
0 Helpful
4 Replies 4

Ric Beeching
Level 7
Level 7

ā€Ž03-07-2017 06:26 PM

Hey,

It is fairly straight forward when using centrally switched WLANs or with APs in local mode on the same WLC. If you apply P2P Blocking action of drop globally on your WLAN this will stop the APs/WLC forwarding packets between clients attached to all APs.

This does not apply to multicast traffic however.

Ric

-----------------------------
Please rate helpful / correct posts

mpitts
Level 1
Level 1
In response to Ric Beeching

ā€Ž03-07-2017 06:35 PM

Thanks Ric!

What if I have APs in flexconnect with local switching?

I am hearing conflicting information.

I appreciate you answering my questions!

0 Helpful

Ric Beeching
Level 7
Level 7
In response to mpitts

ā€Ž03-07-2017 06:38 PM

No probs,

For your version of software it appears that P2P blocking is supported on locally switched WLANs:

Peer-to-peer blocking is supported for clients that are associated with the local switching WLAN.

http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-6/configuration-guide/b_cg76/b_cg76_chapter_01001100.html

Ric

-----------------------------
Please rate helpful / correct posts
0 Helpful

Freerk Terpstra
Level 7
Level 7
In response to Ric Beeching

ā€Ž04-18-2017 04:43 PM

Sadly the documentation regarding P2P blocking with local switching (FlexConnect) is incomplete if you ask me.

What really happens when you enable this feature is that "bridge-group x port-protected" is being enabled on the dot11 radio (sub) interfaces. This feature should* prevent traffic between two wireless connected end-points on the same access-point. There is no "distribution system" by which the other access-points are being informed about other guest clients. This means that you need to implement something like private VLANs on the wired side as well.

*: does not seem to work with latest 8.3 AirOS code, even if both clients are connected on the same radio of the access-point.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card