cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1639
Views
0
Helpful
11
Replies

ACL on WLC v7.0

dalao
Level 1
Level 1

Hi,

I read on Cisco documentation :

The WLC's notion of inbound versus outbound is nonintuitive. It is from the perspective of the WLC
facing towards the wireless client, rather than from the perspective of the client. So, inbound direction
means a packet that comes into the WLC from the wireless client and outbound direction means a
packet that exits from the WLC towards the wireless client.

My architecture is the following :

  • 1 WLC 5508
  • 1 ASA 5520

The WLC is connected to ASA.

The ASA is connected to the LAN.

The WLC has 2 interfaces :

  • Management
  • WiFi

The APs (Connected on the LAN) ends the CAPWAP tunnel on the management interface.

The Wireless client authentificates with EAP-FAST and after the success of authentication, the flow is put in the WiFi interface.

The WiFi interface is connected to the ASA, in fact wireless client are in a DMZ after authentication.

The DHCP server is relayed by the ASA interface of the wireless DMZ.

My question is :

To prevent access to the interfaces it is necessary to use ACLs, this is what is recommended in any safety test.

How can I do to prevent wireless client to join WiFi interface on WLC (Ex : PING) ?

For me, I would like to test this ACL applied on WiFi interface of the WLC :

deny any any @ip_WiFi_interface_WLC inbound

allow any any any

Regards,

Davy

11 Replies 11

dalao
Level 1
Level 1

It is an simplified exemple of my architecture.

All the L3 outgoing trafic of wireless clients go through DMZ interface of ASA.

Nicolas Darchis
Cisco Employee
Cisco Employee

An ACL that would have as source or destination an ip of the WLC has to be a CPU ACL.

Build your ACL and go into security-> ACL-> CPU ACL and enable yours as CPU ACL.

Applying an ACL on an interface is only for traffic towards wired network, not to the CPU interfaces.

Ok thanks for the answer.

But can you tell me if the ACL can be this :

deny any any @IP_WiFi_interface_WLC inbound

Regards,

Davy

Yes, that sounds good

Ok thanks for your help.

I will test and I will tell you if it is correct.

Regards,

Davy

One more question about ACL please :-)

It is mentionned in the Cisco documentation too :

These are some of the rules you need to understand before you configure an ACL on the WLC:

  • If the source and destination are any, the direction in which this ACL is applied can be any.
  • If either the source or destination are not any, then the direction of the filter must be specified, and an

inverse statement in the opposite direction must be created.

For my case, I defined the ACL :

  • Sequence : 1
  • Source : Any
  • Destination : IP Address 192.168.1.2 / Netmask : 255.255.255.255
  • Protocol : Any
  • DSCP : Any
  • Direction : Inbound
  • Action : Deny

Is it necessary to define the inverse statement ?

  • Sequence : 2
  • Source : IP Address 192.168.1.2 / Netmask : 255.255.255.255
  • Destination : Any
  • Protocol : Any
  • DSCP : Any
  • Direction : Outbound
  • Action : Deny

But I think I have to define a new rule, which permit the other flows, because management interface has to be joined and communicate with ACS ...

  • Sequence : 3
  • Source : Any
  • Destination : Any
  • Protocol : Any
  • DSCP : Any
  • Direction : All
  • Action : Permit

Regards,


Davy

There are new behaviors with regards to CPU ACL on 7.0 and I admit I didn't test it myself. The best is to create the rules like you said (the only risk is that some are not used, effect will be achieved anyway) and check the counters to see what is matched.

If you block traffic on the management interface, don't forget to allow :

-Mobility traffic in case you have several WLC

-DHCP protocol (wlc interfaces act as dhcp relay)

Thanks.

I finally opened a case.

The engineer said me :

TAC > If I understand you, you do not want clients to be able to reach the interface that the get ip addresses in?  If that is correct it the clients will not work.  The clients have to reach the dynamic interface as that is the interface that the IP address is provided through.

TAC > I understand that it is not getting DHCP from the controller, but that interface is used of packet handling for those clients.  I guess I do not understand you setup enough, why would you not want the clients to reach the dynamic interface that they are associated to?

For you, if I positionned the CPU ACLs to block trafic to dynamic interfaces, will the wireless clients work ?

Regards,

Davy

the dynamic interface is only used for DHCP relay purpose and similar. Once you're in the network passing traffic, the interface is never contacted again from a client perspective. So what you are looking for is not a problem at all.

Can you let me know the SR number ?

I prefer your answer :-)

SR 618228689

Hy Nicolas,

I tested the CPU ACL as mentionned in the discussion on my WLC in production and I was unable to ping the dynamic interface.

So my rules works.

The TAC engineer confirmed me yesterday the same result.

Thanks a lot for your help !

Regards,

Davy

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: