cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
732
Views
0
Helpful
2
Replies

ACL to deny APs from downloading image

Paccers
Level 1
Level 1

Hi all,

 

A bit of a strange question but my scenario is this:

 

- I need to upgrade a few WLCs (HA SSO) from 8.3.x to 8.5.x. When I previously upgraded from 8.2 to 8.3 although I performed AP predownload (Flex), when it came to entering the reset-system in <time> image no-swap reset-aps etc... it wouldn't accept the command because some APs were still in a 'downloading' state.

 

- The APs remaining in the 'downloading' state were known about and it was due to them already being in a boot loop due to the flash corruption bug in 8.2/lower 8.3 versions (Field Notice: 70330). I knew about these units and knew they wouldn't come back with the WLC upgrade, they would be sorted out afterward. I had a number of these faulty APs and a strict change window so I was forced to use the 'reset system forced' command instead of the more graceful method where the standby goes first, etc..

 

- I'm likely to have a similar scenario with the 8.3-8.5 upgrade so my main query here is is there a method (ACL?) whereby I can temporarily specifically deny APs from being able to perform image downloads from WLC? Hoping it's just something I can throw in, perform the WLC/AP reset then remove once the WLCs come back up.

 

Straight up denying all comms from affected APs to the WLC is not really on the cards as the APs in this faulty 'downloading' state are spread across many different sites, it would be the longest game of whack-a-mole I've ever played.

 

Any ideas from the gurus?

2 Replies 2

Leo Laohoo
Hall of Fame
Hall of Fame
Kill the VLANs to the AP while doing the WLC upgrade.

Rich R
VIP
VIP
Security -> AAA -> AP Policies -> Authorize MIC APs against auth-list or AAA
Then use the built-in AP Authorization List (size limit depends on version - see release notes) to allow APs you want to allow to join or use a radius server. We use a radius server with MAC address database to service multiple WLCs.
If the MAC address is not in the list the WLC won't allow the AP to join (and therefore won't be able to download).
Feasibility of this approach depends on how many APs you have - adding them to the list via CLI will obviously be much quicker than GUI.
Also see https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvj32563 - even when you've blocked those APs you might still find you can't reload and you might need to reset the dl-count. You didn't mention what specific version you're running so you might already have the fix for this.
Review Cisco Networking for a $25 gift card