Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2029
Views
10
Helpful
3
Replies

Restrictions ACL for Wireless AP to WLC in HREAP Desgin Setup

Go to solution
Mohamed Abd Elnaser Mohamed Mohamed Ali
Level 1
Level 1

‎06-25-2012 12:51 AM - edited ‎07-03-2021 10:20 PM

                   Hello, Everyone  I have Wireless HREAP setup in which the Wireless LAN Controllers (WLC) are located across the WAN in DataCenter while the Wireless Access Points (AP) are located within the branches, so setup is fine but as security requirement mandates that the APs VLAN in the branch should be restricted from accessing any thing except neccessary communication to WLC across the WAN so on the interface VLAN assigned for the APs in the branch i Applied an inbound ACL as below and it works fine but after some times my be days i found that the Access points are not present in the WLC GUI and it will appear only if i removed the ACL...............So question here what else is missing in my ACL which is neccessary for AP communication to WLC?

Extended IP access list HO_AP_Restrictions

    10 permit udp any host (WLC 1 IP) eq 12222

    20 permit udp any host (WLC 1 IP) eq 12223 (58563 matches)

    30 permit udp any host (WLC 1 IP) eq 5247

    40 permit udp any host (WLC 1 IP) eq 5246 (58563 matches)

    50 permit udp any host (WLC 2 IP)  eq 12222

    60 permit udp any host (WLC 2 IP)  eq 12223 (22270 matches)

    70 permit udp any host (WLC 2 IP)  eq 5247

    80 permit udp any host (WLC 2 IP)  eq 5246 log (22270 matches)

    90 permit udp any host (ap-manager 1 IP)  eq 12222

    100 permit udp any host (ap-manager WLC 1 IP)  eq 12223

    110 permit udp any host (ap-manager WLC 1 IP)  eq 5247 (440902 matches)

    120 permit udp any host (ap-manager WLC 1 IP)  eq 5246 (1950854 matches)

    130 permit udp any host (ap-manager WLC 2 IP)  eq 12222

    140 permit udp any host (ap-manager WLC 2 IP)  eq 12223

    150 permit udp any host (ap-managerWLC  2 IP)  eq 5247 (360037 matches)

    160 permit udp any host (ap-manager WLC 2 IP)  eq 5246 (1484968 matches)

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Amjad Abdullah
VIP Alumni
VIP Alumni

‎06-25-2012 02:15 AM

Salam Mohamed,

I think your ACL is OK.

You need to verify if the AP joining problem is really due to the ACL.

For HREAPs running over WAN it is kind of normal that APs lose connection to the WLC if there is significant delay/error on the line. So you better isolate further:

- Does the AP join WLC if it is rebooted?

- Try to check if there are any failure joing attempts.

     (Cisco Controller) >show ap join stats detail

   The output should show you information about last join attempts that failed; when and why.

HTH

Amjad

Rating useful replies is more useful than saying "Thank you"

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Amjad Abdullah
VIP Alumni
VIP Alumni

‎06-25-2012 02:15 AM

Salam Mohamed,

I think your ACL is OK.

You need to verify if the AP joining problem is really due to the ACL.

For HREAPs running over WAN it is kind of normal that APs lose connection to the WLC if there is significant delay/error on the line. So you better isolate further:

- Does the AP join WLC if it is rebooted?

- Try to check if there are any failure joing attempts.

     (Cisco Controller) >show ap join stats detail

   The output should show you information about last join attempts that failed; when and why.

HTH

Amjad

Rating useful replies is more useful than saying "Thank you"
0 Helpful

Go to solution
Mohamed Abd Elnaser Mohamed Mohamed Ali
Level 1
Level 1
In response to Amjad Abdullah

‎07-09-2012 02:06 AM

Thanks Amjad Abdullah and sorry for late reply i was on sick leave

Actually the issue was due to the ACL, which was blocking the DHCP (how stupidly I overlooked that)

I have did the same command as you instructed and it reveal that AP has timed out, so I have enabled debugging on ACL to see what kindly of communication is going on and I found many communication which I was keep allowing it based try and error till I found this log that Some APs IP address are trying to communicate to the default VLAN gateway IP address on port 67 which is DHCP then I realized this is the issue.....

In brief....the APs are assigned to a dynamic VLAN (DHCP-enabled) so when I apply the old ACL, the APs already has obtained an IP addresses and they work fine with WLC, but when the DHCP lease timer expires, the APs try to send DHCP renew to the default gateway in which no ACE inside the ACL is matching so that request being denied and therefore doesn't get an IP address so it loses communication with the WLC....

So I added the following ACE at the end of the above ACL

permit udp host 0.0.0.0 any eq bootps

NowI will always remember.......Security comes with cost

Go to solution
Amjad Abdullah
VIP Alumni
VIP Alumni
In response to Mohamed Abd Elnaser Mohamed Mohamed Ali

‎07-09-2012 02:12 AM

Sorry to hear that you were sick.  I hope you fully recovered now.

NowI will always remember.......Security comes with cost

I agree. Painful cost sometimes.

Rating useful replies is more useful than saying "Thank you"
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card