Re: [WIRELESS-LAN] Peer-to-peer traffic blocking with multiple controllers
Thanks for the details Matthew, did you find these software based ACLs impact performance at all? What kind of scale of traffic are you seeing at peak? On 8 July 2015 at 14:25, Matthew Newton wrote: > On Wed, Jul 08, 2015 at 12:00:27PM +0100, Oliver Elliott wrote: > > We have a Cisco WiSM2 based wireless system here in Bristol which is > > steadily growing. Cisco offer a feature on their controllers called "Peer > > to Peer Blocking", which serves to prevent clients talking to each other. > > > Has anyone else run into this problem and discovered an elegant solution > > for it? > > Not sure "elegant", but we have a standard ACL on our WLAN which > blocks traffic between client networks. Given (example) client networks > 10.1.1.0/24 and 10.1.2.0/24, the ACL looks something like the > following. Essentially it does > > - allow incoming client traffic to lower part of ranges > (gateway, dhcp server, etc, no clients here) > - block incoming any traffic to each client pool range > - allow incoming any other traffic (e.g. to Internet/campus) > - allow outgoing anything (i.e. to the clients) > > Seems to work; we've had this in place for many years now. > > And yes, I absolutely hate Cisco WLC ACLs. Apart from a CPU ACL > this is about the only one on the controllers, and I avoid > touching them at all costs. Why they can't do ACLs like on IOS I > have no idea (I know where AireOS came from, but they've had, > what, 10 years to fix this total dog's dinner). > > Cheers, > > Matthew > > > > config acl delete eduroamblock > config acl create eduroamblock > > ! allow from wireless subnet to 10.1.1.0/30 gateway, DNS server etc > config acl rule addeduroamblock 1 > config acl rule source address eduroamblock 1 0.0.0.0 0.0.0.0 > config acl rule destination addresseduroamblock 1 10.1.1.0 > 255.255.255.252 > config acl rule direction eduroamblock 1 in > config acl rule action eduroamblock 1 permit > show acl detailed eduroamblock > > ! allow from wireless subnet to 10.1.2.0/30 gateway, DNS server etc > config acl rule addeduroamblock 2 > config acl rule source address eduroamblock 2 0.0.0.0 0.0.0.0 > config acl rule destination addresseduroamblock 2 10.1.2.0 > 255.255.255.252 > config acl rule direction eduroamblock 2 in > config acl rule action eduroamblock 2 permit > > ! ... repeat for other client ranges in the wlan > > ! deny from wireless subnet to other wireless subnet addresses > config acl rule addeduroamblock 7 > config acl rule source address eduroamblock 7 0.0.0.0 0.0.0.0 > config acl rule destination addresseduroamblock 7 10.1.1.0 > 255.255.252.0 > config acl rule direction eduroamblock 7 in > config acl rule action eduroamblock 7 deny > > ! deny from wireless subnet to other wireless subnet addresses > config acl rule addeduroamblock 8 > config acl rule source address eduroamblock 8 0.0.0.0 0.0.0.0 > config acl rule destination addresseduroamblock 8 10.1.2.0 > 255.255.252.0 > config acl rule direction eduroamblock 8 in > config acl rule action eduroamblock 8 deny > > ! ... repeat again > > ! allow from wireless subnet to anywhere > config acl rule addeduroamblock 13 > config acl rule source address eduroamblock 13 0.0.0.0 0.0.0.0 > config acl rule destination addresseduroamblock 13 0.0.0.0 0.0.0.0 > config acl rule direction eduroamblock 13 in > config acl rule action eduroamblock 13 permit > > ! allow from anywhere to wireless subnet > config acl rule addeduroamblock 14 > config acl rule source address eduroamblock 14 0.0.0.0 0.0.0.0 > config acl rule destination addresseduroamblock 14 0.0.0.0 0.0.0.0 > config acl rule direction eduroamblock 14 out > config acl rule action eduroamblock 14 permit > > config acl apply eduroamblock > > ! apply eduroamblock acl to eduroam interface > config interface acl eduroam-if eduroamblock > > > > > -- > Matthew Newton, Ph.D. > > Systems Specialist, Infrastructure Services, > I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom > > For IT help contact helpdesk extn. 2253, > -- Oliver Elliott Senior Network Specialist IT Services University of Bristol e: oliver.elli...@bristol.ac.uk t: 0117 39 (41131) ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Peer-to-peer traffic blocking with multiple controllers
On Wed, Jul 08, 2015 at 12:00:27PM +0100, Oliver Elliott wrote: > We have a Cisco WiSM2 based wireless system here in Bristol which is > steadily growing. Cisco offer a feature on their controllers called "Peer > to Peer Blocking", which serves to prevent clients talking to each other. > Has anyone else run into this problem and discovered an elegant solution > for it? Not sure "elegant", but we have a standard ACL on our WLAN which blocks traffic between client networks. Given (example) client networks 10.1.1.0/24 and 10.1.2.0/24, the ACL looks something like the following. Essentially it does - allow incoming client traffic to lower part of ranges (gateway, dhcp server, etc, no clients here) - block incoming any traffic to each client pool range - allow incoming any other traffic (e.g. to Internet/campus) - allow outgoing anything (i.e. to the clients) Seems to work; we've had this in place for many years now. And yes, I absolutely hate Cisco WLC ACLs. Apart from a CPU ACL this is about the only one on the controllers, and I avoid touching them at all costs. Why they can't do ACLs like on IOS I have no idea (I know where AireOS came from, but they've had, what, 10 years to fix this total dog's dinner). Cheers, Matthew config acl delete eduroamblock config acl create eduroamblock ! allow from wireless subnet to 10.1.1.0/30 gateway, DNS server etc config acl rule addeduroamblock 1 config acl rule source address eduroamblock 1 0.0.0.0 0.0.0.0 config acl rule destination addresseduroamblock 1 10.1.1.0 255.255.255.252 config acl rule direction eduroamblock 1 in config acl rule action eduroamblock 1 permit show acl detailed eduroamblock ! allow from wireless subnet to 10.1.2.0/30 gateway, DNS server etc config acl rule addeduroamblock 2 config acl rule source address eduroamblock 2 0.0.0.0 0.0.0.0 config acl rule destination addresseduroamblock 2 10.1.2.0 255.255.255.252 config acl rule direction eduroamblock 2 in config acl rule action eduroamblock 2 permit ! ... repeat for other client ranges in the wlan ! deny from wireless subnet to other wireless subnet addresses config acl rule addeduroamblock 7 config acl rule source address eduroamblock 7 0.0.0.0 0.0.0.0 config acl rule destination addresseduroamblock 7 10.1.1.0 255.255.252.0 config acl rule direction eduroamblock 7 in config acl rule action eduroamblock 7 deny ! deny from wireless subnet to other wireless subnet addresses config acl rule addeduroamblock 8 config acl rule source address eduroamblock 8 0.0.0.0 0.0.0.0 config acl rule destination addresseduroamblock 8 10.1.2.0 255.255.252.0 config acl rule direction eduroamblock 8 in config acl rule action eduroamblock 8 deny ! ... repeat again ! allow from wireless subnet to anywhere config acl rule addeduroamblock 13 config acl rule source address eduroamblock 13 0.0.0.0 0.0.0.0 config acl rule destination addresseduroamblock 13 0.0.0.0 0.0.0.0 config acl rule direction eduroamblock 13 in config acl rule action eduroamblock 13 permit ! allow from anywhere to wireless subnet config acl rule addeduroamblock 14 config acl rule source address eduroamblock 14 0.0.0.0 0.0.0.0 config acl rule destination addresseduroamblock 14 0.0.0.0 0.0.0.0 config acl rule direction eduroamblock 14 out config acl rule action eduroamblock 14 permit config acl apply eduroamblock ! apply eduroamblock acl to eduroam interface config interface acl eduroam-if eduroamblock -- Matthew Newton, Ph.D. Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Peer-to-peer traffic blocking with multiple controllers
It's not Cisco, but applying an ACL on the controller to block access to the local subnet might work: https://community.extremenetworks.com/extreme/topics/block_mu_to_mu_traffic_ap_filter_rule Sent from my Samsung device Original message From: Oliver Elliott Date: 2015/07/08 19:00 (GMT+08:00) To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Peer-to-peer traffic blocking with multiple controllers Hi all We have a Cisco WiSM2 based wireless system here in Bristol which is steadily growing. Cisco offer a feature on their controllers called "Peer to Peer Blocking", which serves to prevent clients talking to each other. This works great if you only have a single controller, however we have 4 pairs in HA, so a client can readily see clients that happen to be on a different controller. The only solution to this that I can see is to use VACLs/Private VLANs on the host Cisco 6500s, but this may have a drastic CPU and/or performance impact on the router. Has anyone else run into this problem and discovered an elegant solution for it? Oli -- Oliver Elliott Senior Network Specialist IT Services University of Bristol e: oliver.elli...@bristol.ac.uk<mailto:oliver.elli...@bristol.ac.uk> t: 0117 39 (41131) ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.