Block MU to MU traffic AP filter rule

  • 0
  • 1
  • Question
  • Updated 3 years ago
  • Answered
I know you can Block MU to MU traffic if you route wireless traffic through the controller.

If you use the "Bridge @ AP" topology can you Block MU to MU traffic via Access Point filter rules?
Photo of Frank

Frank

  • 290 Points 250 badge 2x thumb

Posted 4 years ago

  • 0
  • 1
Photo of John Kaftan

John Kaftan

  • 810 Points 500 badge 2x thumb
Even if you are doing B@HWC you can only block mu to mu traffic for end systems on the same controller. We have multiple controllers and end systems can talk to other end systems on the other controller if block mu to mu is on. To accomplish what you are trying to do you can create a rule that denys traffic to the subnet the end systems are on. This will work, I've tried it. They wont be able to ping their gateway but they will be able to traverse the gateway because the gateway is never the destination. These days end systems dont really have to talk to each other directly. If that is true for your network you'll be fine. If not you can make exceptions.
Photo of Frank

Frank

  • 290 Points 250 badge 2x thumb
We only have one controller (C4110). Currently we do have a student vlan which is B@HWC and the option "Block MU to MU traffic" ticked, but would like to have it set at B@AP and use AP filtering rules to achieve the same effect if that is possible.
Photo of Hartmut Sachse

Hartmut Sachse

  • 2,598 Points 2k badge 2x thumb
Hello Frank,

refering to the 8.32.x/9.x user guide for my understanding the "Block MU to MU traffic" applied in the advanced configuration option of the wlan service is useable for both B@HWC and B@AP.  The blocking mechanismen based on a layer 2 (mac address table of wireless client successfully authenticated on the same SSID, client traffic between clients on the same SSID is blocked).

Policies typically applied at layer 3 level (controller support l2, too).  "User Guide, V9.01" page 5-7 include a example for l3 policies/rules to limit client communication applied at B@HWC level. I think its still possible to apply the same rule at ap level.  In the user guide on page 5-9 you can explanation of "AP rules/AP filtering" and its limitations.

I agree with John, there a limitations if in multiple controller setups, but this seems not relevant to your user case.


 Best regards
Hartmut


Photo of Renato Lopes

Renato Lopes

  • 70 Points
Hartmut Sachse, can you send me yours users guide?
Photo of Gareth Mitchell

Gareth Mitchell, Extreme Escalation Support Engineer

  • 5,476 Points 5k badge 2x thumb
Hi Renato

Product documentation is available for download here http://www.extremenetworks.com/support/documentation

You will need an extranet account to download the documentation.

Regards




-Gareth
Photo of Renato Lopes

Renato Lopes

  • 70 Points
I managed to apply rules for traffic entering the network (in the AP through the wifi), based on the destination MAC. However could not apply the rules for traffic leaving the AP, analyzing source MAC.
It can apply rules in the AP based on mac source for the traffic coming out of AP?

Thank you for attention
renato lopes
Photo of Gareth Mitchell

Gareth Mitchell, Extreme Escalation Support Engineer

  • 5,476 Points 5k badge 2x thumb
Hi Renato

Regarding the direction option in the rule; "in" refers to traffic from a wireless client to the AP, "out" refers to traffic destined to the wireless client from the AP.

You can set the mac address as a source or destination according to your requirements within the direction pull-down.

-Gareth