IdentiFi; Is there a way to Block MU to MU traffic with B@AP in the same Virtual Network or Wlan Services?

  • 0
  • 1
  • Question
  • Updated 1 year ago
  • Answered
  • (Edited)

We are installing a new Identify installation for a customer with  several locations, ( +/- 200)

the Wlan on the remote locations are going to use by Employees and customers. because of the expensive WAN connections we want that the customers are  the internet connections on the remote site, so we configure B@AP. And we also want to block the customer mobile unit to mobile unit traffic.  

Is there a way to block MU to MU traffic at the AP?


Thank you for your help

Rien van Maurik

Photo of Rien Maurik

Rien Maurik

  • 260 Points 250 badge 2x thumb

Posted 3 years ago

  • 0
  • 1
Photo of Gareth Mitchell

Gareth Mitchell, Extreme Escalation Support Engineer

  • 5,588 Points 5k badge 2x thumb
Hi Rien

You can create a rule in the applied role to block traffic to all hosts in the local subnet, make this rule the first in the rule list and permit (or deny) other required traffic types.

See this article: https://gtacknowledge.extremenetworks.com/articles/Solution/Block-MU-to-MU-enabled-but-users-can-still-communicate

Best regards




-Gareth
Photo of Hartmut Sachse

Hartmut Sachse

  • 2,598 Points 2k badge 2x thumb
Hello Garath,

could you please post an example of this solution? It tried to configure it, but after adding the second rule to deny MU-to-MU traffic communication to the internet stopped working, to.

Could post a screenshot for this or a compareable example: client subnet 192.168.100.0/24 and gateway 192.168.100.254.


Best Regards
Hartmut
Photo of Brian Anderson

Brian Anderson

  • 626 Points 500 badge 2x thumb
Is your DNS server in the same IP range as your clients?  The deny might have blocked DNS traffic.  I usually allow DNS, DHCP server and client ports first, then start blocking local subnets in the rule sequence.
Photo of Hartmut Sachse

Hartmut Sachse

  • 2,598 Points 2k badge 2x thumb
The DNS is in another subnet. But you are right, i should add DNS and DHCP, too.
Photo of Gareth Mitchell

Gareth Mitchell, Extreme Escalation Support Engineer

  • 5,588 Points 5k badge 2x thumb
Hi Hartmut

Sure, in its simplest form, here is my lab rule:



I know the article says to allow to the subnets default gateway but I don't see a reason to do that, generally traffic is passing through the default gateway, not directly to it.

I just tested the above in my lab and it works.

-Gareth
(Edited)
Photo of Hartmut Sachse

Hartmut Sachse

  • 2,598 Points 2k badge 2x thumb
Thanks for both answers, i will test Gareths policy, too. Now i have successfully tested policy with more rules only allowing specific services. 
Photo of Rien Maurik

Rien Maurik

  • 260 Points 250 badge 2x thumb

Hello Gareth

Thank You

We are going to test this solution.

greetings Rien

Photo of Philipp Tittmann

Philipp Tittmann

  • 774 Points 500 badge 2x thumb
Hello, 

does anyone can confirm the rules? I actually tried it with code version 10.31. and it doesn`t work for me. If i apply the rule on top no client can even connect, if i apply it on bottom Mu to MU traffic is still working. I also applied rules for DHCP and DNS

Philipp