I read on Cisco documentation :
The WLC's notion of inbound versus outbound is nonintuitive. It is from the perspective of the WLC
facing towards the wireless client, rather than from the perspective of the client. So, inbound direction
means a packet that comes into the WLC from the wireless client and outbound direction means a
packet that exits from the WLC towards the wireless client.
My architecture is the following :
The WLC is connected to ASA.
The ASA is connected to the LAN.
The WLC has 2 interfaces :
The APs (Connected on the LAN) ends the CAPWAP tunnel on the management interface.
The Wireless client authentificates with EAP-FAST and after the success of authentication, the flow is put in the WiFi interface.
The WiFi interface is connected to the ASA, in fact wireless client are in a DMZ after authentication.
The DHCP server is relayed by the ASA interface of the wireless DMZ.
My question is :
To prevent access to the interfaces it is necessary to use ACLs, this is what is recommended in any safety test.
How can I do to prevent wireless client to join WiFi interface on WLC (Ex : PING) ?
For me, I would like to test this ACL applied on WiFi interface of the WLC :
deny any any @ip_WiFi_interface_WLC inbound
allow any any any
An ACL that would have as source or destination an ip of the WLC has to be a CPU ACL.
Build your ACL and go into security-> ACL-> CPU ACL and enable yours as CPU ACL.
Applying an ACL on an interface is only for traffic towards wired network, not to the CPU interfaces.
One more question about ACL please :-)
It is mentionned in the Cisco documentation too :
These are some of the rules you need to understand before you configure an ACL on the WLC:
inverse statement in the opposite direction must be created.
For my case, I defined the ACL :
Is it necessary to define the inverse statement ?
But I think I have to define a new rule, which permit the other flows, because management interface has to be joined and communicate with ACS ...
There are new behaviors with regards to CPU ACL on 7.0 and I admit I didn't test it myself. The best is to create the rules like you said (the only risk is that some are not used, effect will be achieved anyway) and check the counters to see what is matched.
If you block traffic on the management interface, don't forget to allow :
-Mobility traffic in case you have several WLC
-DHCP protocol (wlc interfaces act as dhcp relay)
I finally opened a case.
The engineer said me :
TAC > If I understand you, you do not want clients to be able to reach the interface that the get ip addresses in? If that is correct it the clients will not work. The clients have to reach the dynamic interface as that is the interface that the IP address is provided through.
TAC > I understand that it is not getting DHCP from the controller, but that interface is used of packet handling for those clients. I guess I do not understand you setup enough, why would you not want the clients to reach the dynamic interface that they are associated to?
For you, if I positionned the CPU ACLs to block trafic to dynamic interfaces, will the wireless clients work ?
the dynamic interface is only used for DHCP relay purpose and similar. Once you're in the network passing traffic, the interface is never contacted again from a client perspective. So what you are looking for is not a problem at all.
Can you let me know the SR number ?
I tested the CPU ACL as mentionned in the discussion on my WLC in production and I was unable to ping the dynamic interface.
So my rules works.
The TAC engineer confirmed me yesterday the same result.
Thanks a lot for your help !