×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Access Control List in a Wireless LAN Controller

Document

Thu, 05/29/2014 - 13:51
May 29th, 2014
User Badges:
  • Cisco Employee,

Template sentence that one must be able to fill-in, for both directions, before even trying to configure a WLC-ACL:

For a given direction
----------------------

"
An attempt

(a) should be denied/blocked

(b) from whom ?
(c) in which network?

(d) to   whom ?
(e) in which network?

(f) for what (to ping or what )

(g) while going towards which direction (wired or wireless) w.r.t WLC

"

For the opposite direction
--------------------------

"
An attempt

(a) should be denied/blocked

(b) from whom ?
(c) in which network?

(d) to   whom ?
(e) in which network?

(f) for what (to ping or what )

(g) while going towards which direction (wired or wireless) w.r.t WLC

"
==================================================================================
Every WLC-ACL should answer three queries about the Interesting Traffic:
- what to do for the inbound traffic ?
- what to do for the outbound traffic ?
- what to do for the concept of Implicit Deny All, which is at the end of each ACL

To understand this, lets read the following:

==================================================================================

[?] What are ACLs ?
[=]
-WLC ACLs can be used to permit/allow/accept or deny/block/reject traffic at layer 4 (ports) or at layer 3 (ip addresses) between either specific host(s)/subnet(s) . Should note that Ports can either be named or numbered.
-WLC ACLs can be used to focus at (1)unicast (2)non-DHCP (3)IP traffic

[?] what kind of ACLs ?
[=]

if ( ACL : Interface | CPU )  {

Per WLAN ACL will override the interface ACL

}

[?] For which scenarios, can we use WLC ACLs ?
[=]
FlexConnect
Web Authentication

------------
Direction is w.r.t  the WLC :

'in' bound IP Packets destined 'in' -bound, towards the Wireless LAN Controller (sourced from the wireless client        )
'out'bound IP Packets destined 'out'-bound, towards the wireless client         (sourced from the Wireless LAN Controller)    

[ACLs are designed from the destination's perspective]

It means:

W/l client  TO   AP          : INBOUND
AP          TO   W/l client  : OUTBOUND


In other words,

if ACL is focussing at the traffic, going INside  the wired network, the ACL must have the direction IN    bound (from the client to the WLC)
if ACL is focussing at the traffic, going OUTside the wired network, the ACL must have the direction OUTbound (from the WLC to the client)

It is for this reason that, to configure WLC-ACLs,
if we          make an ACL in IN     bound direction, for a               specific traffic,
   we must make an ACL in OUTbound direction, for that same specific traffic.

Also, since we have a 'deny all' at the end of a given ACL, we need to permit the traffic-flow (in both directions)

So,
Direction of Normal     ACLs:
------------------------
Ingress : AP        >----any data-----> Switch
Egress  : Switch->----any data-----> AP

 

Direction of FlexConnect ACLs:(just the opposite)
------------------------
Egress : AP     >----any data-----> Switch
Ingress: Switch->----any data-----> AP

 Flexconnect ACL those would be applied until the client is authenticated.

------------------------    

[?]
Example 1: How to ensure that 10.10.14.0/24  (wireless client's subnet) should not able to ping 10.10.205.20 (a host) but any other network
((( say (192.168.1.0/24) (wired) )))

(So, in this case, the specific traffic is between the wireless network and the wired host)
(So, we will have to make ACL for INbound and OUTbound traffic for this interesting traffic)

[=]

(

Ping is a two step process.
We send Echo Request and expect "Echo Response"/Reply.

Having said that,
if we ensure , we do not get Echo Response/Reply, ping won't work (this is what we want)

)
                                                                                 
[ Hint 1: Echo "Response packet" should not be able to travel from  

(  Wired  )     to     ( Wireless ) ]

[ Hint 2: This command should give RTO messages ---------->   ping      10.10.14.x      source   WiredVLAN  ]

[ Hint 3: This command should give RTO messages ---------->   ping      10.10.14.'10'   source   'lo'0      ]
       

where,
10.10.14.'10' is an ip address of a host        in the wireless network
'lo'0         is a loopback interface representing the wired    network        

------------------------

For IN   bound  direction: (while going inside the wired network)

Step One   : "Wireless clients should not be able to ping the specific host "
Step Two   : "Wireless clients should     be able to ping all of the rest   "


For OUTbound direction: (while going outside the wired network)

Step Three : "Anyone from any network should be able to ping to anyone in the wireless network"

 


To configure the ACL, lets go through the following steps:

Step One
========

Please find the image attached, where is shown the ACL in GUI, and read the following in the order as listed to make sense of the WLC ACL:

"
An attempt

(1)

(a) should be denied/blocked
(b) from anyone
(c) from the wireless network
(d) to the wired host
(e) to ping
(f) while going towards the wired network (inbound towards WLC)

"


------------------------------------------------------------------------------------------------------------------------------------------------------------

Step Two
=========
Since, any Deny should be followed by Permit statement (because, if do not do so, everything else also gets denied, due to the implicit 'deny all' concept),
Hence, we need to ensure that rest of subsequent traffic must be allowed/permitted.

All rest of the attempts

(2)

(a) should be permitted/allowed

(b) from anyone
(c) from the wireless network

(d) to   anyone
(e) of   any          network

(f) to ping

(g) while going towards the wired network (inbound towards WLC)
    

------------------------------------------------------------------------------------------------------------------------------------------------------------

Step Three
==========

An attempt

(3)

(a) should be permitted/allowed
 
(b) from anyone
(c) from any          network

(d) to   anyone
(e) in   the wireless network

(f) to ping
(g) while going outside the wired network (outbound from WLC)

------------------------------------------------------------------------------------------------------------------------------------------------------------


Step Four
==========

We are now just left to implement the concept of Implicit Deny All (as mentioned at the beginning of the document).

An attempt

(4)

(a) should be permitted/allowed

(b) from anyone
(c) from any          network

(d) to   anyone
(e) in   any          network

(f) to ping
(g) while going in ANY direction (be it INbound or OUTbound w.r.t the WLC)

------------------------

 

Please find the jpeg image attached to this post which has the implementation of all the four steps , and the alphabetized sub-steps within each of the four steps,  as outlined in the document.

Loading.

Actions

This Document