Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Limited P2P communication and Broadcast Forwarding on WLC ?

Hi,

my question regards to a pair of WLC 4402 with 7.0.98.0 software.

Actual, our security policy does not really allow any peer-to-peer communication in a wireless LAN. Therefore we set the 'P2P Blocking Action' to drop, and the 'Broadcast Forwarding' feature to disabled (default).

But now there is a special requirement for two mobile endpoints to communicate with each other, because one device controls the other.

To test the communication, we first disabled P2P Blocking (without success) and further enabled Broadcast Forwarding to bring the communication up. Now it works, but the configuration disagrees with our policy.

Two questions:

1. Is there an alternative configuration as described possible, so that we do not violate the security policy?

To allow only p2p connection between the two devices, ist should also be possible to drop any else by an ACL. But how to fix the problem with the broadcast, because of the needed ARP? My idea was to use a static ARP entry, but as far as i know, one of the both devices is not able for it.

2. Because, I did not find any detailed documentation:

2a. with enabled Broadcast Forwarding, the controller forwards all broadcast for any configured SSID, right?

2b. is the broadcast limited to the source VLAN/SSID?

2c. is the broadcast limited to an AP, to an WLC, or is it broadcasted to every AP on every WLC that has the relevant SSID?

PS: we already have two new 5508 but not in an operational state now, because we plan to implement new 3600 APs.

Do these WLCs offer more/another circumstances or possibilities?

Thanks in advance

Hakan

1 REPLY

Limited P2P communication and Broadcast Forwarding on WLC ?

Hakan:

You can use "Forward-Upstream" in "P2P Blocking Action" rather than "Drop". This will forward the P2P traffic to the upper layer to decide where this sould go. there, ont he upper layer you can use an ACL to drop traffic coming from VLAN X and going to same Vlan. on same ACL you can use a sentence to permit that two specific clients that you want them to communicate. You can also enable broadcast on WLC and block it on same ACL (I don't see this is a good idea because WLC has to process all broadcast traffic although most of it will be eventually blocked).

Another alternative is to create an ACL on WLC itself and apply it to the WLAN or the interface on WLC.

- With broadcast forwarding enabled, clietns can not send broadcast traffic sent on same subnet.

- If a client sent a broadcast on a WLAN while broadcast forwarding is enabled  (it needs multicast also to be enabled to work AFAIK) and P2P traffic is not blocked, then all users on same VLAN (including wired clients and other SSIDs on same VLAN) will receive the broadcast information.

p2p block is only lmited to same SSID on same WLC.

If you have two WLCs broadcasting same SSID then p2p block does not work with them.

client A on SSID X on WLC A

client B on SSID X on WLC B

A and B will be able to communicate although SSID X on both WLCs is configured for p2p block.

HTH

Amjad

Rating useful replies is more useful than saying "Thank you"
5340
Views
0
Helpful
1
Replies
CreatePlease to create content