12-13-2017 04:28 PM - edited 02-21-2020 10:41 AM
Hello All,
Need some assistance around the dACL for Flexconnect Access Points. We have configured all our FlexConnect AP switchports in Multi-Host authentication mode. But when we issue the restrictive dACL the underlying hosts is unable to connect to the SSID being broadcasted. As soon as we issue a full permit dACL, it works. So, I'm suspecting some missing ports in the dACL I have below or the only other issue I could think of is in Multi-Host mode the dACL is applied to the entire session instead of just the first MAC address being seen on the switchport. By the way the below dACL is common for LWAPP APs too and they work just fine.
remark Allow Control and Provisioning of Wireless Access Points (CAPWAP) protocols.
permit udp any any range 5246 5248
permit udp any range 5246 5248 any
remark Allow Lightweight Access Point Protocol (LWAPP)
permit udp any any range 12222 12224
permit udp any range 12222 12224 any
remark Allow remote access (telnet and SSH)
permit tcp any range 22 23 any
remark Allow DHCP
permit udp any any eq 67
permit udp any any eq 68
remark Allow DNS
permit udp any any eq 53
remark Allow RDLP
permit udp any any eq 6352
remark Allow NSI Protocol
permit udp any any eq 37540
permit udp any any eq 37550
remark Allow TFTP
permit udp any any eq 69
remark Allow FTP
permit tcp any any eq 21
remark Allow Syslog
permit udp any any eq 514
permit icmp any any
deny ip any any
Please help.
Edit : IOS version on the switch is 15.0(2)SE7
Regards
Vivek
03-27-2018 07:07 AM
All,
Just thought to update if someone is having a similar issue. A Cisco TAC case was raised for this to understand this issue. With Multi-Host mode, the controls applied to an endpoint seen first by the switch will have the same controls applied to all the underlying endpoints. In other words, the dACL is applied to the entire session. So in the above case, Flexconnect AP was the first MAC to be seen by the switch & hence was issued the AP dACL. Once the workstation connected to the AP, the same dACL was applied as well. This causes a problem. Solution is to allow all traffic on the dACL aka permit ip any any.
Regards
Vivek
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide