The below configurations will provide the info regarding the ACL configuration on the Autonomous APs which will be handy for more things!!
Configuring standard ACL ============================
You can use standard ACLs to allow or disallow the entry of client devices into the WLAN network based on the IP address of the client. Standard ACLs compare the source address of the IP packets to the addresses that are configured in the ACL in order to control traffic. This type of ACL can be referred to as a source IP address-based ACL.
en conf t access-list 10 deny host <ip addr of the client> access-list 10 permit any
en conf t access-list 10 deny host 192.168.10.1 access-list 10 permit any
Apply this to Interface..
Int dot11 0 ip access-group 25 in
Similarly Standard Name ACLs =============================
en conf t ip access-list standard <name> deny host <ip addr> permit any exit
int dot11 0 ip access-group <name> in
en conf t ip access-list standard test deny host 192.168.10.1 permit any exit
int dot11 0 ip access-group test in
EXTENDED ACLs on the AP ========================
Extended ACLs compare the source and destination addresses of the IP packets to the addresses that are configured in the ACL in order to control traffic. Extended ACLs also provide a means to filter traffic based on specific protocols. This provides a more granular control for the implementation of filters on a WLAN network.
Ex - Deny All traffic on AP and allow only DHCP.. (Can be Modified based on your needs and protocols)
en conf t ip access-list extended hi permit udp any any eq bootpc deny ip any any exit
int dot11 0 ip access-group hi in
int dot11 0.X ip access-group hi in
Int gig 0 ip access-group hi in
int gig 0.X ip access-group hi in end
Now TIME BASED ACL!! ===================
Time-based ACLs are ACLs that can be enabled or disabled for a specific period of time. This capability provides robustness and the flexibility to define access control policies that either permit or deny certain kinds of traffic.
This example illustrates how to configure a time-based ACL through the CLI, where Telnet connection is permitted from the inside to the outside network on weekdays during business hours:
Note: A time-based ACL can be defined either on the Fast Ethernet port or on the Radio port of the Aironet AP, based on your requirements. It is never applied on the Bridge Group Virtual Interface (BVI).
Ex shows to allow only telnet access to the AP between the time interval (Can be changed based on the needs)
en conf t time-range hi period weekdays 9:00 to 19:00 ip access-list extended 111 permit tcp 192.168.10.0 0.0.0.255 172.16.1.0 0.0.0.255 eq telnet time-range hi exit
int gig 0 ip address 192.168.10.1 255.255.255.0 ip access-group 101 in
Hi everyone,I just wanted to share a recent experience that may avoid you some headaches. Last november we upgraded one of our WLCs from 8.2.166 to the still (Feb-18-2020) recommended version 8.5.151. A couple of days after the upgrade some users sta...
BRIEF- Anyone else seeing WiFi clients issuing bursts of DHCP Requests which trigger 'ip dhcp snooping rate limit xx' thresholds on Catalysts? DETAIL- The flock of Catalyst 2960X at the access-layer have several hardening features enabled, incl...
It looks like there is no real need to enable "HA SKU secondary unit" on the backup controller, since I could just simply add the same amount of licenses to both WLCs since my APs will only be joined to 1 WLC at a time? Am I correct? or am I misinter...
HelloI have 3 WLC's and want to get the master controller upgraded to a newer version, but do not want to effect the other 2 WLC's. Is this possible? 5508: 184.108.40.206 Master Controller; controlling AIR-CAP2702I-A-K92504(1): 220.127.116.11 controlling&...