03-23-2012 04:25 PM - edited 07-03-2021 09:51 PM
Hi
I have 5508 WLC (Running 7.2) in seperate buildings. I have created ACL's on both Controllers and the only thing that is failing is the Mobility Control Function. The ACL on WLC B is the Exactly the same except with some IP's being reversed. I have allowed EoIP and Mobility Traffic on both Controllers. The Data Path is Fine but the Control Path is stating down. I apologize in advance if I have been to vague. Any help would be appreciated.
Thank You
Bill
03-23-2012 04:31 PM
So if you remove the wlc acl's does the mobility come up? I never use the wlc acl's unless I need to because of pre auth requirements.
Thanks,
Scott Fella
Sent from my iPhone
03-23-2012 04:34 PM
Yes..It even comes up if I remove the ACL off one. Once I add it back ..down she goes. No rhyme or Reason at this point. :-)
03-23-2012 04:41 PM
So does eping and mping fail? Can you post your acl?
Thanks,
Scott Fella
Sent from my iPhone
03-23-2012 04:43 PM
eping passes..mping fails. I will be back at their office tmr. I will get it and post.
Thanks
03-23-2012 05:05 PM
Okay. Just wanted to see if you either allow everything between the WLC's or if not, you have udp 16666 open between the two.
Thanks,
Scott Fella
Sent from my iPhone
03-24-2012 01:51 AM
Can you post your ACL?
03-24-2012 07:12 AM
03-24-2012 08:59 AM
Well for mping, that is upd 16666/16667. So in your rule, your rule you shoulod have something like this:
17 16666-16666 16666-16666 Any Permit
17 16667-16667 16667-16667 Any Permit
What is the ip of the WLC's? YOur counters are all zero also.
http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a0080a7c988.shtml#t4
Take a look at your show rules output without the ACL and then witht he ACL.
03-24-2012 10:12 AM
For my info .. is this ACL on the CPU or the WLAN?
03-24-2012 12:47 PM
Hey george I have it attach to the CPU
03-24-2012 12:53 PM
Bill,
What is the purpose of the ACL? CPU ACLs are more for WLC managment ...
03-24-2012 12:59 PM
George
The Customer wanted to limit who has access to go into the WLC and make changes. They asked an ACL be placed on the WLC to do this.
Thanks
Bill
03-24-2012 03:12 PM
Well why not just do a deny for http/https/telnet/ssh from the other subnets and then just permit any any. Not a big fan and i always tell my clients that it is best to place the acl on the L3.
Thanks,
Scott Fella
Sent from my iPhone
03-24-2012 03:30 PM
+5 Scott ...
I try and persuade my customers to do the same. I am deploying ISE and playing with ACLs on the WLC. I plan to move them to the wired ..
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide