06-25-2012 12:51 AM - edited 07-03-2021 10:20 PM
Hello, Everyone I have Wireless HREAP setup in which the Wireless LAN Controllers (WLC) are located across the WAN in DataCenter while the Wireless Access Points (AP) are located within the branches, so setup is fine but as security requirement mandates that the APs VLAN in the branch should be restricted from accessing any thing except neccessary communication to WLC across the WAN so on the interface VLAN assigned for the APs in the branch i Applied an inbound ACL as below and it works fine but after some times my be days i found that the Access points are not present in the WLC GUI and it will appear only if i removed the ACL...............So question here what else is missing in my ACL which is neccessary for AP communication to WLC?
Extended IP access list HO_AP_Restrictions
10 permit udp any host (WLC 1 IP) eq 12222
20 permit udp any host (WLC 1 IP) eq 12223 (58563 matches)
30 permit udp any host (WLC 1 IP) eq 5247
40 permit udp any host (WLC 1 IP) eq 5246 (58563 matches)
50 permit udp any host (WLC 2 IP) eq 12222
60 permit udp any host (WLC 2 IP) eq 12223 (22270 matches)
70 permit udp any host (WLC 2 IP) eq 5247
80 permit udp any host (WLC 2 IP) eq 5246 log (22270 matches)
90 permit udp any host (ap-manager 1 IP) eq 12222
100 permit udp any host (ap-manager WLC 1 IP) eq 12223
110 permit udp any host (ap-manager WLC 1 IP) eq 5247 (440902 matches)
120 permit udp any host (ap-manager WLC 1 IP) eq 5246 (1950854 matches)
130 permit udp any host (ap-manager WLC 2 IP) eq 12222
140 permit udp any host (ap-manager WLC 2 IP) eq 12223
150 permit udp any host (ap-managerWLC 2 IP) eq 5247 (360037 matches)
160 permit udp any host (ap-manager WLC 2 IP) eq 5246 (1484968 matches)
Solved! Go to Solution.
06-25-2012 02:15 AM
Salam Mohamed,
I think your ACL is OK.
You need to verify if the AP joining problem is really due to the ACL.
For HREAPs running over WAN it is kind of normal that APs lose connection to the WLC if there is significant delay/error on the line. So you better isolate further:
- Does the AP join WLC if it is rebooted?
- Try to check if there are any failure joing attempts.
(Cisco Controller) >show ap join stats detail
The output should show you information about last join attempts that failed; when and why.
HTH
Amjad
06-25-2012 02:15 AM
Salam Mohamed,
I think your ACL is OK.
You need to verify if the AP joining problem is really due to the ACL.
For HREAPs running over WAN it is kind of normal that APs lose connection to the WLC if there is significant delay/error on the line. So you better isolate further:
- Does the AP join WLC if it is rebooted?
- Try to check if there are any failure joing attempts.
(Cisco Controller) >show ap join stats detail
The output should show you information about last join attempts that failed; when and why.
HTH
Amjad
07-09-2012 02:06 AM
Thanks Amjad Abdullah and sorry for late reply i was on sick leave
Actually the issue was due to the ACL, which was blocking the DHCP (how stupidly I overlooked that)
I have did the same command as you instructed and it reveal that AP has timed out, so I have enabled debugging on ACL to see what kindly of communication is going on and I found many communication which I was keep allowing it based try and error till I found this log that Some APs IP address are trying to communicate to the default VLAN gateway IP address on port 67 which is DHCP then I realized this is the issue.....
In brief....the APs are assigned to a dynamic VLAN (DHCP-enabled) so when I apply the old ACL, the APs already has obtained an IP addresses and they work fine with WLC, but when the DHCP lease timer expires, the APs try to send DHCP renew to the default gateway in which no ACE inside the ACL is matching so that request being denied and therefore doesn't get an IP address so it loses communication with the WLC....
So I added the following ACE at the end of the above ACL
permit udp host 0.0.0.0 any eq bootps
NowI will always remember.......Security comes with cost
07-09-2012 02:12 AM
Sorry to hear that you were sick. I hope you fully recovered now.
NowI will always remember.......Security comes with cost
I agree. Painful cost sometimes.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide