Hi all,
We have been dropping BC/MC (broadcast-filter all), along with enabling 'broadcast-filter arp', in the VAP to preserve network performance and as far as I know have had no complaints. I now have a manager request to allow a very small subset of devices to do L2 discovery within the same SSID.These devices are Android, Windows and Apple.
Assuming I can identify all of the BC/MC traffic, can I go ahead and enable BC/MC in the VAP (no broadcast-filter all) and then essentially deny that same broadcast and multicast traffic with a series of policies (ACLs) instead? Is this "the same"?
I plan to to nudge the targeted devices into a new role/vlan using RADIUS VSA. This role would not have the L2 ACLs. All other users on this SSID will get the default auth role which has the L2 ACLs in place. Would doing this be functionally equivalent - aside from the broadcast traffic between the devices in the "allow L2" role, or would doing this pollute the air more? Is this a good way to isolate broadcast multicast traffic to only this subset of devices or will it cause a BC/MC traffic to leak out for all?
We have about 20k users connected during peak times on a school day. School reconvenes next week. I know that enabling BC/MC globally is generally not a good idea with so many clients hunting for L2 peers..
Below is an example of the ACLs I would put in place to "hopefully" "re-block" L2 protocols after enabling BC/MC in the VAP.
ip access-list session deny_SSDP_and_UPnP_acl
any host 239.255.255.250 any deny
any host 239.255.255.253 any deny
!
ip access-list session deny_mDNS_acl_alt
any host 224.0.0.251 udp 5353 deny log
!
ip access-list session deny_netbios_acl
any any udp 137 deny
any any udp 138 deny
!
We're running 6.1.3.2. As an aside, we just bought ClearPass and are exploring AirGroup but this is something folks want to do ASAP.
Any advice would be appreciated.
Thanks in advance,
Mike