Hi, Here is setup wlc ip 10.0

susim · ‎07-22-2015

Hi,

ACL in Wireless Controller vs Acl

What is the recommended practice, applying acl on interface vlan or acl inside the WLC

what are the merits and demerits on applying acl in WLC over

Thank you

Leo Laohoo · ‎07-22-2015

What is the  recommended practice,  applying acl on interface vlan or  acl inside the WLC

The recommended "best practice" is to stick the ACL nearest to the core switch AND keep ACL away from the WLC.

susim · ‎07-25-2015

Thanks leo

The recommended "best practice" is to stick the ACL nearest to the core switch AND keep ACL away from the WLC.

If that is the case , what is the purpose of acl in WLC

Thanks

George Stefanick · ‎07-25-2015

My 2 cents .. Keep the acl as close to the edge as possible so the traffic doesn't drive across the network just to get dropped.

However the ACL on the WLC beyond normal reasoning. In some cases you need to have an acl in both directions to allow traffic to pass. You also have a hard limitation of 66 acl lines or some number close to it.

In my case I avoid the acls on the controller and place on the upstream switch the controller plugs into. I do however use an acl on the controller to block WLC management traffic ..

HTH

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

susim · ‎07-25-2015

Thanks George ,

For the number 66 acl lines

" I do however use an acl on the controller to block WLC management traffic ."

Why and what is the benefit

.

Leo Laohoo · ‎07-25-2015

If that is the case , what is the purpose of  acl in WLC

ACL function in the WLC is an OPTIONAL feature. It has it's uses but due to the limitation of what the WLC ACL can/can't do it's really difficult to justify sticking an ACL in the WLC.

susim · ‎07-25-2015

Hi,

core---distribution--access

f i keep wlc at access layer , would it be bad idea ? . (wlc and access point are in same subnet) .ssid's are differnet vlan at the same access layer .

Would it be better if i keep in core . ?

Can you give just an overview how a client associate to a AP and WLC , and how the traffic flows to the distribution layer .

The below one would be a dump question . if the best practice is to drop the traffic at the nearest , the nearest place must be at WLC ?

Thanks

Leo Laohoo · ‎07-25-2015

f i keep wlc at access layer , would it be bad idea ?

Very bad idea. WLC is designed to be in a core network. WLC is also suitable for distro but it is very, very rare to find a WLC in the access layer.

susim · ‎07-27-2015

Hi

Thanks Leo , Is it ok placing the AP and controller in the same vlan ?.

What would be the benefit and drawbacks

Leo Laohoo · ‎07-27-2015

 Is it ok placing the AP  and controller in the same vlan ?.

What would be the benefit and drawbacks

Depends on the size and shape of the network.

For lab purposes, this is fine.

If you're going to connect multiple sites or buildings over a Layer 3 network, the WLC should "live" in the core network.

susim · ‎08-01-2015

Hi,

Here is setup

wlc ip 10.0.50.10 /24
ap 10.0.50.x (same subnet)

client -10.0.x.x /24

the client is redirected to ISE once they conneced for authentication .
ofcourse client cannot browse unless they authenticated
the problem is before authentication the client can see the port is opened or not .
How can i solve this issue . putting an acl on the wlc will solve this issue or there is something i am missing .

on the client vlan i have an access list .
but no access list on ap and wlc vlan

Please help

Wlc and acl