ACLs on WLC


ACLs can be configured on the WLC. Notice that these ACLs are different then Router ACL.
Now it’s also possible to have ACLs on management interfaces.
– You can’t block the virtual ip addresses and hence the DHCP packets.
– Controller ACLs can’t block multicast and broadcast because they are forwarded at the management interfaces
– The ACL is applied for in- and outgoing traffic. But it’s not statefull. If you forget a hole for the returning traffic, it’s not working.
– You can only block IP traffic.
– The masks of the ACL are not wildmasks but normal masks.
– The ACLs do have an impact of the performance of the WLC.

The direction of the ACL must be seen from the WLC and NOT the Wireless client.

You can configure the ACL with the GUI (Security / Access Lists).
Here’s we’re denying http traffic to 192.168.2.254 :

acl counter start
acl create ACL_LAB
acl rule add ACL_LAB 1
acl rule action ACL_LAB 1 deny
acl rule destination address ACL_LAB 1 192.168.2.254 255.255.255.255
acl rule destination port range ACL_LAB 1 80 80
acl rule source address ACL_LAB 1 0.0.0.0 0.0.0.0
acl rule source port range ACL_LAB 1 0 65535
acl rule direction ACL_LAB 1 Out
acl rule dscp ACL_LAB 1 Any
acl rule protocol ACL_LAB 1 6
acl apply ACL_LAB

And bind the ACL to an interface :
interface acl vlan11 ACL_LAB

CPU ACLs are beeing used to controler LWAPP traffic.

(Cisco Controller) >show acl summary

ACL Counter Status Enabled
—————————————-
ACL Name Applied
——————————– ——-
ACL_LAB Yes

(Cisco Controller) >show acl detailed ACL_LAB

Source Destination Source Port Dest Port
I Dir IP Address/Netmask IP Address/Netmask Prot Range Range DSCP Action Counter
— — ——————————- ——————————- —- ———– ———– —- —— ———–
1 Out 0.0.0.0/0.0.0.0 192.168.2.254/255.255.255.255 6 0-65535 80-80 Any Deny 0

DenyCounter : 0

(Cisco Controller) >show acl cpu

CPU Acl Name………………………….. NOT CONFIGURED
Wireless Traffic………………………. Disabled
Wired Traffic…………………………. Disabled

(Cisco Controller) >

About Joost van der Made

Me

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: