cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
981
Views
19
Helpful
7
Replies

WLC ACLs - applied to CPU, management, ap-manager

I'm trying to understand the difference between applying an ACl to CPU or management i/f or ap-manager i/f.

It seems to me that the latter 2 are software interfaces and therefore all traffic to & from them goes via the CPU, right?

So what's the difference between applying an ACL to one of these 2 interfaces or to the CPU?

I can't find the answer to this in any Cisco doco.

Eg. Say I wanted part of an ingress ACL (to WLC from outside) to match source port = RADIUS

What difference would it make if I applied this to the CPU or to the Management i/f?

Regards, MH

7 Replies 7

ankbhasi
Cisco Employee
Cisco Employee

Hi MH,

Basically if you want to restrict some traffic which is destined to the controller then you need to apply CPU ACL like restricting telnet accces to controller or restricting snmp traffic to controller or restricting HTTP access or lwapp traffic to controller.

BUt if you want to restrict or permit some traffic which move across controller like restricting telnet access to some other router beyond controller or restricting icmp traffic from one client to another you need to apply the ACLs on particular interface like management or any dynamic interface.

After ACLs are configured on the controller, they can be applied to the management interface, any of the dynamic interfaces, or a WLAN to control data traffic to and from wireless clients OR to the controller central processing unit (CPU) to control all traffic destined for the CPU

Please come back if you have any doubts.

HTH

Ankur

*Pls rate all helpfull post

Hi Ankur,

Thanks for your answer. I'm having difficulty with this part of what you said:

"BUt if you want to restrict or permit some traffic which move across controller like restricting telnet access to some other router beyond controller or restricting icmp traffic from one client to another you need to apply the ACLs on particular interface like management or any dynamic interface."

I would understand it if you were only refering to dynamic interfaces but I don't don't understand this explanation when applied to management interface.

As far as I understand it there is no traffic which ***transits*** the management interface. From what I've observed with wireshark and from cisco doco this traffic is sourced/sunk at the management interface,

- some (not all) LWAPP tunnel traffic to & from the APs

- SNMP

- syslog

- ssh (telnet not enabled by default)

- TACACS

- RADIUS

Is this correct?

Are you saying that "icmp traffic from one client to another" goes through the management interface?

Regards, MH

Hi MH,

What I mean was if you have any SSID/WLAN mapped to management interfce and you have active clients on that WLAN who get their ip address in management subnet and want to access some resources for which traffic need to move across controller you can apply ACL on management interface also to restrict that traffic.

HTH

Ankur

*Pls rate all helpfull post

Thanks - I understand.

However, I don't understand why the WLAN would be mapped to the mgmt i/f and not a dynamic interface.

Could you please help with this?

(A while back, using WCS, I configured a WLAN to be associated with mgmt i/f & used AP Groups but I understand that the Dyn. i/f associated with the AP-Group/SSID, over-rides the mgmt i/f assoc. with the WLAN. Hence client traffic transits the Dyn. i/f, not the mgmt i/f, right?)

Regards, MH

Hi MH,

Every network has its own design and requirement. There are many small networks which keep management of devices and network data on same vlan and interface instead of creating multiple interfaces one specific for management purpose and one for data.

So some small networks create management iterface as it is manadatory controller configuration and then map the same interface to WLAN for wireless client and client get ip address in whatever vlan management interface is configured with.

Your are right in your AP Group understanding. So taking your example only if you do not configure AP Group and override management interface mapping on WLAN then what will happen is client will get associated to WLAN which is mapped to management interface and will get the ip address in subnet which belongs to management interface.

Hope I am able to clear my views. Please come bac kif you have any doubts.

Regards,

Ankur

*Pls rate all helpfull post

Hi Ankur,

I really appreciate your patience here because this is really clearing up a few loose ends of my understanding.

Why put ACL on AP-Manager interface?

The only reason I can think of is for DOS mitigation. eg. an ACL which only permits traffic to & from AP subnets and to & from the 2 LWAPP UDP ports.

Any other reason for ACL on AP-Manager i/f?

Regards, MH

Hi MH,

You are most welcome. You are right in your understanding of applying ACLs on AP-Manager interface. It is just to block traffic between AP and ap-manager.

You can also get the same functionality using CPU-ACLS also but the benefit of CPU-ACL is it will give you more restriction including traffic destined to controller management interfaces which hits CPU.

HTH

Ankur

*Pls rate all helpfull post

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: