Block P2P traffic on Cisco 5508 Controller
Is it possible to block outside P2P traffic on a guest wireless network using an ACL on the controller? I know we can do it our firewall but the question came up so I thought I would post and see what everyone thinks. TIA
Yes, ACLs can be applied to the WLC. I might suggest moving the ACL to the closest point, the FW if you are concern about internet traffic.
ACLs on Wireless LAN Controllers: Rules, Limitations, and Examples
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a00807ce372.shtml
Similar Messages
-
Howto block p2p traffic of clients connected to the same ssid on different wlc
Hi all,
I use two wlc 4400 (4.2.x version) with a mobility domain and one ssid, both wlc are connected to a cisco l2 switch infrastructure. On the wlc I use the p2p blocking action 'drop' (http://www.cisco.com/en/US/docs/wireless/controller/5.2/configuration/guide/c52wlan.html#wp1209597) to isolate the clients from each other. Does anybody know if only unicast traffic is blocked or also multicast and broadcast traffic like arp requests?
Concerning blocking p2p traffic of clients connected to the same ssid but different controllers I found the following statement in the LAP FAQs (http://www.cisco.com/en/US/products/hw/wireless/ps430/products_qanda_item09186a00806a4da3.shtml):
===
Q. In autonomous APs, Public Secure Packet Forwarding (PSPF) is used to avoid client devices associated to this AP from inadvertently sharing files with other client devices on the wireless network. Is there any equivalent feature in Lightweight APs?
A. The feature or the mode that performs the similar function of PSPF in lightweight architecture is called peer-to-peer blocking mode. Peer-to-peer blocking mode is actually available with the controllers that manage the LAP. If this mode is disabled on the controller (which is the default setting), it allows the wireless clients to communicate with each other through the controller. If the mode is enabled, it blocks the communication between clients through the controller. It only works among the APs that have joined to the same controller. When enabled, this mode does not block wireless clients terminated on one controller from the ability to get to wireless clients terminated on a different controller, even in the same mobility group.
===
Does anybody know what's the best practise to prevent this inter wlc client traffic? I already read about using acls on the wlc dynamic interfaces, or private vlans on the l2 switch vlans where the dynamic interfaces are connected to. Is it allowed to completely isolate the wlc from each other on these dynamic interfaces with acls or private vlans or do the wlc need to see each other on this interfaces (e.g. heart beat)?
Many thanks in advance,
ThorstenHi Sasha,Thorsten
The bug is Junked and I believe which is what you are running into with your tests:
CSCtr60787 WLC P2P Blocking Set to Forward-UpStream Doesn't Work.
Bugtoolkit : http://tools.cisco.com/Support/BugToolKit/action.do?hdnAction=searchBugs
To answer your original query :
ACL is only solution to block client communication on same ssid between 2 wlcs. 5508 works better with ACLs then 44xx platform.
ARP requests will be forwarded to upstream router just like any other traffic. WLC won't proxy arp for clients on same vlan.
Gateway arp's I believe should be handled by WLC . ( Don't quote me on this but I am pretty sure it is ) ..If it was not, then how would client know about gw ?
Multicast traffic is not applicable for p2p.
Your ACL can be as simple as this for the scenario :
WLC 1 - clientvlan = 10
WLC 2 - clientvlan = 10
and you want to restrict users from wlc1-wlc1, wlc1-wlc2, wlc2-wlc2 for same vlan10.
Basically in that case the ACL should look like on both WLCs :
1. Permit statement to talk to gateway.
2. Deny to subnet.
3. Permit all.
4. If DHCP/DNS other services are on same subnet then you would need to add a permit
statement before the deny.
5. Attach the ACL to SSID or dymanic interface.
Thanks..Salil
CSCtr60787 WLC P2P Blocking Set to Forward-UpStream Doesn't Work. -
I have Cisco 5508 controller in our high school. I changed the password for one of our WLANs yesterday.(WLANs>WLANs>WLAN in question (in my case OBSD-Internal)>Security>Layer 2. For some reason it reverted back to the previous password ( this was confirmed by a client attempting to connect). What could possibly cause this?
Hi Sean,
May be you did not saved the config on WLC(After changing the password).
Regards -
Cisco 5508 Controller 5GHz band selection
hi,
today i installed one Cisco 5508 Controller with 1262 APs only with 5GHz antennas. all radios are came up excpet 5ghz band, i tried all my level of best to get it UP. can anybody tell me if there is anything we need to really inspect to enable 5 GHz band.
Anvarhi Nocolas,
please find below answers, and attached snapshot
1) what is your AP exact model ? -A ? -E ?
Ans:- AP Model No - AIR-LAP1262N-A-K9
2) What country did you configure your WLC for ?
Ans:- Saudi Arabia
3) did you enable 802.11a network on the "wireless" tab ?
Ans:- Yes
4) if you go to the AP radio list on the WLC, what does it say for your AP ? up ? down ?
Ans:- 802.11a/n Radios DOWN
802.11 b/g/n Radios UP
Thanks,
Anvar -
Hello,
I have tried the below configuration to block the P2P traffic.But still the users can download using utorrent client. How do I effectively block all the P2P traffic. Please help.
Class Map
class-map type inspect match-any ALL-P2P-PROTOCOLS
match protocol edonkey signature
match protocol gnutella signature
match protocol kazaa2 signature
match protocol fasttrack signature
match protocol bittorrent signature
class-map type inspect match-all P2P-PROTOCOL
match class-map ALL-P2P-PROTOCOLS
match access-group name INTERNET-ACL
class-map type inspect http match-any HTTP-PORT-MISUSE
match request port-misuse im
match request port-misuse p2p
match request port-misuse tunneling
Policy Map
policy-map type inspect http HTTP-PORT-MISUSE-POLICY
class type inspect http HTTP-PORT-MISUSE
reset
log
policy-map type inspect IN-TO-OUT-POLICY
class type inspect P2P-PROTOCOL
drop log
class class-default
drop log
class type inspect HTTP-ACCESS
inspect
service-policy http HTTP-PORT-MISUSE-POLICY
Also I am attaching the logs and 'show policy-map type inspect zone-pair IN-TO-OUT' output.
Please help me out.
Regards,
TonyHello Tony,
Okay. I have seen on the last couple of days that because of how this protocols are being tunneled or jumping from one port to another, etc. Its pretty difficult to blok it with ZBFW.
So instead of doing that I would like to check if we can block it with NBAR, can we give it a try ??? If yes, here is how
class-map match-any p2p
match protocol edonkey
match protocol fasttrack
match protocol gnutella
match protocol kazaa2
match protocol winmx
match protocol skype
match protocol cuseeme
match protocol novadigm
match protocol ssh
match protocol irc
policy-map P2P-DROP
class p2p
drop
Apply the policy to the user-facing (incoming) interface.
int xxxxx
You can verify the status by doing:
sh policy-map int xxx
sh ip nbar protocol-discovery
Let me know the result,
Remembe to rate all of the helpful posts
service-policy input P2P-DROP -
Redirect to web authentication not working on Cisco 5508 Wireless Controller
Hi,
I have a wlan with web authentication:
http://i55.tinypic.com/w145zk.png
and
http://i51.tinypic.com/344sfm0.png
When I connect to the SSID (I get correct IP from the Cisco 5508 Controller) and try to surf, I do not get redirected to the web authentication page (https://1.1.1.1/login.html), when I manually insert the URL I get "cannot display the webpage". Any idea?
The virtual interface is 1.1.1.1.
Here is a screenshot of interface and internal dhcp:
http://i52.tinypic.com/2vkm1d2.png
Any idea why clients are not redirecting?
Thanks!Thanks for the reply dmantil!
When I changed the Virtual DNS name to 1.1.1.1 (the same as the IP) I get redirected if I use http://198.133.219.25, but not with http://cisco.com, I get redirected only if I use IP.
I forgot to mention that the controller is in a lab with no access to DNS server. Does the controller check if the domain is valid before redirecting users? I cant find any documentation on how the controller redirect users. -
Block P2P software using ASA-AIP-SSM-20 module
Hello,
I have got a question about blocking P2P traffic on ASA AIP module. I have searched the forums and all I could find were solutions using regex, port block, MPF, but no AIP implementation example.
Could anyone point me in the right direction please ?
Many thanks,
MartinHello Paps,
Many thanks for your reply. I was searching the web like crazy for some solutions using IPS and it never occured to me that I could just simply look for the signature files on Cisco website.
Thank you very much again
With regards,
Martin -
Hi,
Can anyone suggest how can I effectively block p2p traffic like Ares, Limewire or other with Cisco IOS 12.4(6) or higher? I tried NBAR but I guess there is no PDLM available for Ares for instance.
Many thanks for any suggestions.
RemiHi,
to block p2p traffic you need to block all ports except these you really need.
For example block all ports except http, https, smtp, pop3, dns.
Becouse some of the p2p applications use port 80 to connect there is an options in firewall(classic or Zone-Based Policy Firewall) called protocol-violation and port-missue!
This options prevent non-HTTP traffic over port 80.
For Zone-Based Firewall reffer to this link:
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml -
have a Cisco 5508 controller (version 6.0.199.4) that when I enable global multicast mode it will work for an hour or two and then it will kill the network. All internet both wired and wireless, access to server everything dead. I then have to directly connect to the service port and disable the global multicast mode. Then two reasons for enabling it are Docs2Go and LanSchool both require multicast to be enabled. I have it enabled on our wired network and it works OK there. I am probably just missing something stupid. Any thoughts or suggestions would be greatly appreciated.
On the Controller tab.
so if you're not setting a multicast address, then you are running in Unicast mode.
Multicast - Unicast - This is the easiest method to use. When the WLC receives a Multicast packet, it replays that packet to every AP that is connected. Now this does work, but can be very network intense, as every AP gets the stream. So if you have 100 AP, there are 100 streams, 300 AP 300 streams.
Mulicast - Multicast - This is the better method to use. With this method, the AP will join to a multicast group, that you configure, preferably in the 239.x.x.x administratively scoped space. Now when the WLC gets a mutlicast packet, it replays it once to the group.
Now, the WLC side is easy. Select Mutlicast - Multicast and configure your group, each WLC in your mobility group should use a unique address. For the WLC you are done.
HTH,
Steve
Please remember to rate helpful posts or to mark the question as answered so that it can be found later. -
Blocking p2p application traffic and tunneling
I need help ........
We have taken two ASA with AIP card, and have configured Active/Active , but user are using p2p and tunneling softwares . how can we block p2p and tunneling traffic ..
plz anyone reply me..........
regardsIf you are using Firewall software 12.4(9)T and above, it has integrated policies to block or rate limit p2p application traffic using dynamically updateable application
definitions for newer p2p applications. KaZaA, Gnutella, BitTorrent, and eDonkey are currently supported.
You may also see this: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00801e419a.shtml -
Cisco 5508 Wireless Controller in HA mode
Hello,
is there a support of 1+1 mode (HA mode) at 5508 Controller?
If yes Is there a HA bundle or do we have to order two identical 5508 controller ?
Thanks for response.
RichardHello Richard,
FYI, WLC 7.3 has been released that includes HA features. Following are the links for your reference,
https://supportforums.cisco.com/docs/DOC-26827
http://www.cisco.com/en/US/prod/collateral/wireless/ps6302/ps8322/ps10315/qa_c67-714540.html
http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080bd3504.shtml#req -
VLAN assignment without ACS on Cisco Wireless Controller 5508
I was wondering if it is possible to do dynamic VLAN assignment on the Cisco Wireless Controller 5508 without using Cisco ACS but use Microsoft NPS server instead? Is there a manual or article that someone can point me in the right direction?
Thank you!Any RADIUS server will allow you to do the dynamic vlan assignment if you configure the right RADIUS attributes (64, 65 and 81 that Steve mentioned above).
This doc shows example of dynamic vlan assignment with WLC and ACS.
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml
Same config on WLC is needed. However, on the RADIUS you need to configure the same attributes on the NPS instead.
HTH
Amjad
Rating useful replies is more useful than saying "Thank you" -
Cisco 5508 Wireless Controller with Splash Page Disclaimer
How do one configure a splash disclaimer page on a Cisco Wireless Controller 5508 with no authentication?
JimmyThere are many options to you in this scenario, but if you're looking to simply provide a splash page via the WLC without interacting with any other web servers, you can configure Local Web Authentication (LWA) as seen in this configuration example.
http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/69340-web-auth-config.html?referring_site=RE&pos=1&page=http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/71881-ext-web-auth-wlc.html
If you are not wanting the authentication, you can choose the "passthrough" method which will not require any credentials, only accepting an AUP or whatever you want. -
Cisco RV042 Firewall Blocking LAN Traffic
Hello Everyone,
I currently have an RV042G with a downstream SG-300 connected to one of the LAN interfaces. Connected to the SG-300 are a couple servers running ESXi. Intervlan routing is working fine on the current setup; however, I only able to connect to my ESXi hosts on a separate VLAN for approximately a minute before the connection is dropped. I have concluded that the firewall seems to be culprit in blocking my traffic. If I turn the firewall off, everything acts as expected. There is a default "ANY/ANY" rule for LAN traffic enabled and I have added a couple extras allowing all traffic for IP ranges, but I still seem to be losing my connections. To make matters more confusing, I can see ACCESS_RULE events in the firewall logs permitting the traffic (or so I'm interpretting).
Regardless, here's how my rules currently stand below. I put another ANY/ANY rule in because the default didn't seem to be working -- I immediately was able to ping other hosts on different VLANs after adding the rule. I was under the assumption allowing all traffic from any source to any destination would make the LAN pretty accessible. I would appreciate any guidance or resources on this topic to set up some quick firewall rules to get things up and running. Thanks in advance.
Priority
Enable
Action
Service
Source
Interface
Source
Destination
Time
Day
Delete
123
Allow
All Traffic [1]
LAN
10.10.21.1 ~ 10.10.21.31
10.10.10.10 ~ 10.10.10.10
Always
123
Allow
All Traffic [1]
LAN
10.10.10.10 ~ 10.10.10.10
10.10.21.1 ~ 10.10.21.31
Always
123
Allow
All Traffic [1]
LAN
Any
Any
Always
Allow
All Traffic [1]
LAN
Any
Any
Always
Deny
All Traffic [1]
WAN1
Any
Any
Always
Deny
All Traffic [1]
WAN2
Any
Any
AlwaysI guess I should clarify, the SG-300 is running in Layer 3 mode, and the VLANs are defined on it; however, the static routes are defined on the RV042. Maybe there's a more efficient way of doing this?
Below is a scrubbed copy of my switch configuration.
config-file-header
SWITCH01
v1.3.5.58 / R750_NIK_1_35_647_358
CLI v1.0
set system mode router
vlan database
vlan 2
exit
no bonjour enable
hostname SWITCH01
no logging console
ip ssh server
ip ssh password-auth
clock timezone CEST +1
interface vlan 1
ip address 10.10.10.2 255.255.255.0
no ip address dhcp
interface vlan 2
name VIRTUAL-MANAGEMENT
ip address 10.10.21.1 255.255.255.224
interface gigabitethernet1
description ESXI01:VMNIC0:MGMT
switchport trunk allowed vlan add 2
interface gigabitethernet20
description UPLINK
exit
ip route 0.0.0.0 /0 10.10.10.1 metric 15
The routes I have defined is:
Destination IP
Subnet Mask
Default Gateway
Hop Count
Interface
10.10.21.0
255.255.255.224
10.10.10.2
1
eth0
10.10.10.0
255.255.255.0
0
eth0
255.255.252.0
0
eth1
239.0.0.0
255.0.0.0
0
eth0
default
0.0.0.0
40
eth1
Just to reiterate the problem, I am able to connect to hosts on VLAN 2 from my computer on VLAN 1, but I am disconnected a minute or so later. When the firewall is disabled, I have no issues with connecting to the host across VLANs and maintaining that connection. Maybe I have a misconfiguration somewhere that is causing some issues? I appreciate the help. -
Hello,
I am trying to get this officeextend working.
I connected the ap and checked the H-Reap box and then officeextend and gave it a public ip. This public ip is NAT'd to the dmz controller on the firewall. (The dmz controller is 5508 running code 6.0.199.4)
I have connected this officeextend 1132 ap to a broadband connection and this gets an ip of 192.168.1.23 on its fa0 interface. all good till now.
when i console onto the officeextend 1132 AP, i get an error msg could not resolve Cisco-LWAPP-Controller.abc.uk....domain server (192.168.1.254) and Cisco-CAPWAP-Controller.home.uk...think it needs DNS set to the public ip on the local asdl box, is it ?
if this is the case, I am not sure if i can do this as this is controlled by the ISPI have added this now scott on the management interface but still cant get the AP to join the controller. This AP is connected to a broadband wireless router connected back to a ADSL router that has the DNS settings
(also i cant see any traffic hitting on ports 5246 and 5247 on the firewall. so think this AP is not trying to go out )
it comes up with
CAPWAP-5-DHCP_RENEW: Could not discover WLC using DHCP IP. Renewing DHCP IP.
Translating "CISCO-CAPWAP-CONTROLLER.Abc.uk"...domain server (192.168.1.254)
*Apr 8 16:25:39.983: %CAPWAP-3-ERRORLOG: Did not get log server settings from DHCP.
Translating "CISCO-LWAPP-CONTROLLER.Abc"...domain server (192.168.1.254)
*Apr 8 16:25:42.095: %CAPWAP-3-ERRORLOG: Could Not resolve CISCO-CAPWAP-CONTROLLER.Abc.uk
config on AP
service password-encryption
hostname AP6400.f14d.b6ba
logging rate-limit console 9
enable secret 5 $1$ACEH$BuOIS/RYEP5ZXvWxbyCFS/
aaa new-model
aaa authentication login default local
aaa authentication login reap_eap_methods group radius
aaa session-id common
eap profile lwapp_eap_profile
method fast
crypto pki trustpoint Cisco_IOS_MIC_cert
revocation-check none
rsakeypair Cisco_IOS_MIC_Keys
crypto pki trustpoint cisco-root-cert
revocation-check none
rsakeypair Cisco_IOS_MIC_Keys
crypto pki trustpoint airespace-device-root-cert
revocation-check none
rsakeypair Cisco_IOS_MIC_Keys
crypto pki trustpoint airespace-new-root-cert
revocation-check none
rsakeypair Cisco_IOS_MIC_Keys
crypto pki trustpoint airespace-old-root-cert
revocation-check none
rsakeypair Cisco_IOS_MIC_Keys
username Cisco secret 5 $1$2zkE$CaKkr5zDUWwltKRFvrIto0
ip ssh version 2
interface Dot11Radio0
no ip route-cache
mbssid
speed basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
power client local
packet retries 64 drop-packet
interface Dot11Radio0.2
encapsulation dot1Q 2 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface Dot11Radio1
no ip route-cache
mbssid
power client local
packet retries 64 drop-packet
interface Dot11Radio1.2
encapsulation dot1Q 2 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface FastEthernet0
ip address dhcp client-id FastEthernet0
no ip route-cache
duplex auto
speed auto
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
no ip http server
logging trap errors
logging origin-id string AP:6400.f14d.b6ba
logging facility kern
logging snmp-trap notifications
logging snmp-trap informational
logging snmp-trap debugging
logging 255.255.255.255
radius-server local
no authentication eapfast
no authentication leap
no authentication mac
nas 66.11.22.33 key 7 111D110C041B18030A2632253C363832
group hreap
control-plane
line con 0
line vty 0 4
transport input none
line vty 5 15
transport input none
end
Maybe you are looking for
-
Sqlplus: Error while loading shared libraries: libsqlplus.so:
Hi The Error is as follows: sqlplus: Error while loading shared libraries: libsqlplus.so: cannot open shared object file: no such file or directory Installed R12 with RUP2. User Oracle already exists. I tried to create a user appsdev as follows: #add
-
How do I switch to Compatibilty View as I could with Internet Explorer?
I'm not able to open programs for my work because the message reads "Sorry, your browser/program is not supported by Web Dynpro! ". When I was using Internet Explorer & saw this message, I was able to switch to "Compatibity View" which corrected the
-
Hello everybody, i need to upload a file to a server and i use the following code: DiskFileUpload upload=new DiskFileUpload(); List items=upload.parseRequest(request); Iterator itr=items.iterator(); while(itr.hasNext()) { FileItem item=(FileItem)itr.
-
I am a new Mac user on a mac book pro I7 I am trying to migrate my information from my PC so I can keep my Ipad and Mac Book pro synced. Secondly I am trying to get my Exchange server email to work. I have lost both settings password, and user nam
-
I have created several photo slide shows in Bridge, I want to be able to load it up at the same time I upload my site, I have a contact page in Dreamweave I want to put several links in, to go to several photo slide shows, but in the files that brid