Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
931
Views
0
Helpful
1
Replies

Traffic getting blocked after applying ACL on Cisco WLC 2504

netteam
Level 1
Level 1

‎11-03-2014 06:51 AM - edited ‎07-05-2021 01:51 AM

Hello all, I have a cisco wireless controller 2504 running a guest wifi network and an internal wifi network.  My access points are cisco air cap 2702.  We have users authenticating to our radius server using 802.1x for internal network and browser login authentication for the guest network.

Just for info, our wireless controller is running software version 8.0.100.0

Everything has been running smoothly, until we wanted to apply an access list to the internal lan network. Once we apply the access list, our wireless client lose internet connectivity.  I can authenticate to the wireless controller, and can ping internal addresses of host on our network, but am unable to access any web pages.  I can ping websites by ip address but not by domain name.  I try to visit web pages by ip address and by web address but cannot reach the page.  Not only web browsing is limited.  I have a rule to explicitly allow remote desktop to a particular server, but I am unable to remote connect.  Everything gets resolved once the access control list is removed.

 

I have attached a screenshot of my rules so that you can review and notify if I am missing  something.  Thank you for any help in advance.

 

Labels:
0 Helpful
1 Reply 1

nspasov
Cisco Employee
Cisco Employee

‎11-09-2014 02:00 PM

One thing you need to be aware of is that ACLs on the WLCs are not reflexive. You must explicitly allow the type of traffic in both directions. So if you are permitting anything to anything to destination UDP 69, then you would need to permit anything to anything with source UDP 69 to any destination UDP. You would have to do this for the rest of your flows. I hope this makes sense. 

To make things simpler you can do an easier ACL where you would:

1. Permit all sources to all destinations on all ports and protocol "outbound" direction only 

2. Permit all sources to any (if needed) internal destinations on the specific ports and protocols "inbound" direction only

3. Block all sources to all RFC 1918 on all ports and protocols "inbound" direction only

4. Permit all sources to all destinations on all ports and protocols

 

Thank you for rating helpful posts! 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card