topic Re: Why we have to allow RRM port first in wlc 8.5 in Wireless

Why we have to allow RRM port first in wlc 8.5

Leftz — Fri, 06 May 2022 18:58:00 GMT

Hi We want to create CPU ACL at wlc 8.5. According to Cisco document to create the CPU ACL, why we have to allow these RRM port FIRST ? Can we just deny some client traffic and allow all for this purpose? Please see the below Cisco statement. Anyone can explain it? Thank you

https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-5/config-guide/b_cg85/access_control_lists.html

Applying an Access Control List to the Controller CPU (GUI)

Before you begin

Before you apply ACL rules, ensure that you have explicitly set the following RRM ports to allow in the CPU ACL:

12124-12125
12134-12135

Also ensure that you add these ACL rules specifically at the top of the ACL list.

If you do not set these RRM ports to allow, the ports are blocked by default.

Procedure

Re: Why we have to allow RRM port first in wlc 8.5

Flavio Miranda — Fri, 06 May 2022 19:17:08 GMT

The idea of CPU ACL is to control (permit /deny) traffic send to the WLC itself. In networking this is called the Control plane traffic.

It turns out that the RRM traffic as Control plane traffic and if you block it, WLC will not manage the network in terms of RF.

RRM is the Radio Resource management and is the algorithm responsible to control Channel, Power, etc, etc,.

When you apply an ACL, you know that theres a implicit deny at the end. So, if you does not explicit permit those ports, they will be blocked with all control plance traffic.

Re: Why we have to allow RRM port first in wlc 8.5

Leftz — Fri, 06 May 2022 19:37:07 GMT

@Flavio Miranda Thanks Flavio for your respond.

" When you apply an ACL, you know that theres a implicit deny at the end. So, if you does not explicit permit those ports, they will be blocked with all control plance traffic. ..... "

Yes I know, but if we do not use permit RRM at beginning, we can use permit to allow all at the end.

Re: Why we have to allow RRM port first in wlc 8.5

Flavio Miranda — Fri, 06 May 2022 19:54:00 GMT

yes you can and probably will work the same way. What cisco try to do is call the attention to the fact that RRM is control plance cause most people dont know that and may incorretly block it.

Re: Why we have to allow RRM port first in wlc 8.5

Leftz — Fri, 06 May 2022 20:05:08 GMT

@Flavio Miranda Yes, I also think so.

So, based on my understanding, the two commands like the below should work for our purpose without other impact such as losing connection to WLC. Can I say it like this?

deny ip 10.10.10.0/24

permit ip any any

10.10.10.0/24 is users devices ip address.

Re: Why we have to allow RRM port first in wlc 8.5

Flavio Miranda — Fri, 06 May 2022 20:43:02 GMT

Keep in mind thart the network you permit there is the network from where you are going to manage the WLC.

Do you manage you WLC from this network?

What about Prime or any management tool you may have? Or syslog server?

User devices sounds to me like wireless client which is not afffected by CPU ACL

furthermore, this means that anything can access your WLC, except user devices.

This does not look good.

The normal action here is you to permit the management network and deny everything else.

Thats why cisco as to permit those port also.