WLC access to specific IP

ahmed.gadi · ‎06-01-2011

Hi all,

How can I allow some IP to access https of cisco WLC management and restrict others ?

Can i make use of Access-list option under AAA menu of WLC. Any input is highly appreciated.

Thanks & Regards

Ahmed...

Surendra BG · ‎06-01-2011

Hi,

Yes you are right.. Either WLC ACLs will help you or the normal ACL on the router will do this..

Lemme know if this answered ur qustion!!

Regards

Surendra

Regards
Surendra BG

ahmed.gadi · ‎06-06-2011

I tried ACL on interface vlan but it didnt worked.

My config is

ip access-list extended WLC_ACCESS

permit tcp host 10.0.0.25 host 10.0.26.10 eq 443

permit tcp host 10.0.0.26 host 10.0.26.10 eq 443

deny tcp 10.0.0.0 0.0.0.255 host 10.0.26.10 eq 443

interface vlan 26

ip access-group WLC_ACCESS in

IP address of WLC 10.0.26.10 in vlan 26

still i can access WLC from all machines in 10.0.0.0/24 network and cannot see any hits inside WLC_ACCESS entries.

Regards

Ahmed

Surendra BG · ‎06-06-2011

Hi,

Please disable or uncheck "Management Via Wireless" under management TAB and see if you are able to access..

Regards

Surendra

Regards
Surendra BG

ahmed.gadi · ‎06-06-2011

Hi,

Its already disable and one more thing i am accessing through wired connection not wireless.

what is wireless-client, is it an application or a normal pc connected via wireless ?

Regards

Ahmed...

Surendra BG · ‎06-06-2011

Normal PC connected via wireless....

Regards

Surendra

Regards
Surendra BG

ahmed.gadi · ‎06-06-2011

many thanks..

can you please help about accessibility of WLC using ACL ?

Reagards

Ahmed...

Surendra BG · ‎06-06-2011

I think you can post the question on the Routing Platform!!

Regards

Surendra

Regards
Surendra BG

ahmed.gadi · ‎06-06-2011

okay.

but i am going through some WLC documentations.

Document ID: 81733

Before WLC version 4.0, ACLs are bypassed on the Management Interface,

so you cannot affect traffic destined to the Management Interface. After

WLC version 4.0, you can create CPU ACLs. Refer to

Configure CPU ACLs

for more information on how to configure this type of ACL.

Note:

ACLs applied to the Management and AP-Manager Interfaces are

ignored. ACLs on the WLC are designed to block traffic between the

wireless and wired network, not the wired network and the WLC. Therefore,

if you want to prevent APs in the certain subnets from communicating with

the WLC entirely, you need to apply an access list on your intermittent

switches or router. This will block LWAPP traffic from those APs (VLANs)

to the WLC.

So according to this stateent, my ACL applied on interfce vlan should work right ?

Please help and if you really think i should post it under routing i will do it.

Regards

Ahmed...

fgasimzade · ‎06-06-2011

interface vlan 26

ip access-group WLC_ACCESS in

Try

ip access-group WLC_ACCESS out

ahmed.gadi · ‎06-06-2011

Hi,

How it will help me ?

Do you mean it will see traffic while going back from WLC vlan towards wired vlans ?

Reagards

Ahmed...

fgasimzade · ‎06-06-2011

No, I had some work to do with access lists for SVI, after a number of tests it looked like ACL for SVI worked vice versa in respect of trafic flow comparing to a physical port

ahmed.gadi · ‎06-06-2011

okay then lemme try your suggestion i will update once i will apply

thanks for your suggection.

fgasimzade · ‎06-06-2011

If it doesnt help, try applying to ACL to the 10.0.0.0 vlan interface but with IN statement

fgasimzade · ‎06-06-2011

In case you apply this ACL to vlan 10.0.0.0, dont forget to add permit ip any any as the last statement to permit all other traffic