The below configurations will provide the info regarding the ACL configuration on the Autonomous APs which will be handy for more things!!
Configuring standard ACL ============================
You can use standard ACLs to allow or disallow the entry of client devices into the WLAN network based on the IP address of the client. Standard ACLs compare the source address of the IP packets to the addresses that are configured in the ACL in order to control traffic. This type of ACL can be referred to as a source IP address-based ACL.
en conf t access-list 10 deny host <ip addr of the client> access-list 10 permit any
en conf t access-list 10 deny host 192.168.10.1 access-list 10 permit any
Apply this to Interface..
Int dot11 0 ip access-group 25 in
Similarly Standard Name ACLs =============================
en conf t ip access-list standard <name> deny host <ip addr> permit any exit
int dot11 0 ip access-group <name> in
en conf t ip access-list standard test deny host 192.168.10.1 permit any exit
int dot11 0 ip access-group test in
EXTENDED ACLs on the AP ========================
Extended ACLs compare the source and destination addresses of the IP packets to the addresses that are configured in the ACL in order to control traffic. Extended ACLs also provide a means to filter traffic based on specific protocols. This provides a more granular control for the implementation of filters on a WLAN network.
Ex - Deny All traffic on AP and allow only DHCP.. (Can be Modified based on your needs and protocols)
en conf t ip access-list extended hi permit udp any any eq bootpc deny ip any any exit
int dot11 0 ip access-group hi in
int dot11 0.X ip access-group hi in
Int gig 0 ip access-group hi in
int gig 0.X ip access-group hi in end
Now TIME BASED ACL!! ===================
Time-based ACLs are ACLs that can be enabled or disabled for a specific period of time. This capability provides robustness and the flexibility to define access control policies that either permit or deny certain kinds of traffic.
This example illustrates how to configure a time-based ACL through the CLI, where Telnet connection is permitted from the inside to the outside network on weekdays during business hours:
Note: A time-based ACL can be defined either on the Fast Ethernet port or on the Radio port of the Aironet AP, based on your requirements. It is never applied on the Bridge Group Virtual Interface (BVI).
Ex shows to allow only telnet access to the AP between the time interval (Can be changed based on the needs)
en conf t time-range hi period weekdays 9:00 to 19:00 ip access-list extended 111 permit tcp 192.168.10.0 0.0.0.255 172.16.1.0 0.0.0.255 eq telnet time-range hi exit
int gig 0 ip address 192.168.10.1 255.255.255.0 ip access-group 101 in
Hello I have started my journey with vWLC 9800-CL few weeks ago. Probably I want to have 3 vWLC clusters worldwide (3 regions: EMEA, APAC, AMER). My questions is about recommendation for implementing distributed branch where most branches (at least per re...
Hello, New ap 3802e cannot join to wlc 3504. and I got the below error message, also by command "show capwap ip config" I can see the controller ip address is NOT there though I can type the command " capwap ap primary-base WLC3 10.100.50.3"Also I kn...
My company recently implemented a new Cisco wireless controller based system. I wasn't a part of the initial configuration and deployment as I was quite busy with other projects at the time, but as the main administrator of our previous Aruba wireless sys...
I am using some Cisco C3201 to work as network bridge to connect a wired device to an existing Wi-Fi Network.The simplified scenario is:[Not cisco AP]----- Dot11Radio 0 -C3201- FastEthernet 0 ---- Wired device (debian).I've updated to IOS version 12.4, in...
Hello,I have 3 WLAN with QoS configured by metal policy : - Main network : Gold - SoftPhone network : Silver - Guest network : BronzeI want to configure QoS on VoIP traffic with platinum policy (SoftPhone network), but the rest of the traff...