ACLs on WLC
ACLs can be configured on the WLC. Notice that these ACLs are different then Router ACL.
Now it’s also possible to have ACLs on management interfaces.
– You can’t block the virtual ip addresses and hence the DHCP packets.
– Controller ACLs can’t block multicast and broadcast because they are forwarded at the management interfaces
– The ACL is applied for in- and outgoing traffic. But it’s not statefull. If you forget a hole for the returning traffic, it’s not working.
– You can only block IP traffic.
– The masks of the ACL are not wildmasks but normal masks.
– The ACLs do have an impact of the performance of the WLC.
The direction of the ACL must be seen from the WLC and NOT the Wireless client.
You can configure the ACL with the GUI (Security / Access Lists).
Here’s we’re denying http traffic to 192.168.2.254 :
acl counter start
acl create ACL_LAB
acl rule add ACL_LAB 1
acl rule action ACL_LAB 1 deny
acl rule destination address ACL_LAB 1 192.168.2.254 255.255.255.255
acl rule destination port range ACL_LAB 1 80 80
acl rule source address ACL_LAB 1 0.0.0.0 0.0.0.0
acl rule source port range ACL_LAB 1 0 65535
acl rule direction ACL_LAB 1 Out
acl rule dscp ACL_LAB 1 Any
acl rule protocol ACL_LAB 1 6
acl apply ACL_LAB
And bind the ACL to an interface :
interface acl vlan11 ACL_LAB
CPU ACLs are beeing used to controler LWAPP traffic.
(Cisco Controller) >show acl summary
ACL Counter Status Enabled
ACL Name Applied
(Cisco Controller) >show acl detailed ACL_LAB
Source Destination Source Port Dest Port
I Dir IP Address/Netmask IP Address/Netmask Prot Range Range DSCP Action Counter
— — ——————————- ——————————- —- ———– ———– —- —— ———–
1 Out 0.0.0.0/0.0.0.0 192.168.2.254/255.255.255.255 6 0-65535 80-80 Any Deny 0
DenyCounter : 0
(Cisco Controller) >show acl cpu
CPU Acl Name………………………….. NOT CONFIGURED
Wireless Traffic………………………. Disabled
Wired Traffic…………………………. Disabled
(Cisco Controller) >