Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Help understanding differences of ACLs on 2106 vs ACLs on 4506

Hello,

I have a 2106wlc, and 2 LAP1142N APs, both connect to a 4506. I have 2 wlans setup (typical corporate/guest setup). The APs connect to trunk ports each wlan has it's own tagged vlan while the management network is the native vlan for the trunk. The 2106 conencts over a trunk port to the 4506 in the same way. DHCP is handled by the 4506, each vlan has it's own. Everything works but since I have routing enabled on the 4506 and L3 interfaces on the VLANs, wireless users can get anywhere they want on the network. So now it's time to setup some ACLs...

I'm having a difficult time wrapping my head around the difference between the ACLs defined in the virtual interface for both wlans on the 2106 and the routing ACLs on the 4506, and the VACLS. Can someone help show me how you use them together?

Also, how exactly does traffic flow from the APs throught the 2106 to the "core" 4506? I know the APs pickup an IP and register with the WLC, but what about client traffic? Does the AP tag it according to whichever virtual interface it belongs to? Does everything from the clients "flow" through the WLC?

Sorry for the n00b type questions, just trying to figure out how this all works.

Thanks.

1 ACCEPTED SOLUTION

Accepted Solutions
Bronze

Help understanding differences of ACLs on 2106 vs ACLs on 4506

The ACLs on the WLCs (regardless of platform) are a bit "backwards" in comparison to traditonal ACLs on other devices (such as your 4506).  The idea of "inbound/outbound" is backwards; however if you understand "where" the ACL is being applied it will make more since. 

The WLC does not apply ACLs to the "wired" side of the interfaces.  For instance an ACL permitting or denying traffic "inbound" is not being applied to traffic coming "in" to the dynamic interface from your wire.

Inbound is traffic from wireless clients "in" to the WLC, and outbound rules are from the WLC "out" to the wireless client.

So as far as "client traffic" flow.

1. An AP discovers/joins (building CAPWAP tunnel via UDP 5246/5247).  You "could" build ACLs on your DS to "only" permit this type of traffic; if you really "want".

2. Client's connected to that AP will have their traffic passed through that same tunnel where by it is processed once it "arrives" at the WLC.  The WLC will then egress the traffic out of the applicable interface for that WLAN.

So it you want to block "client" traffic; you can either perform the config at the L3 gateways for the applicable networks or you "can" build the ACL at the WLC, however I would suggest doing this on your wired network for more control and less impact to system resources of the WLC.

For instance, perhaps you have wireless clients on the 192.168.1.0/24 network.  You want to "permit" these clients to reach a server on your wired network (10.10.10.10 and all protocols, for this example) as well as allow internet traffic; however they should not reach anythign else.

I've done it using both "directions" so you can see the flow; rather than "any" direction.  See how the "in/out" is almost backwards.

Hope that helps a little.

Cheers,

David W.

3 REPLIES
Bronze

Help understanding differences of ACLs on 2106 vs ACLs on 4506

The ACLs on the WLCs (regardless of platform) are a bit "backwards" in comparison to traditonal ACLs on other devices (such as your 4506).  The idea of "inbound/outbound" is backwards; however if you understand "where" the ACL is being applied it will make more since. 

The WLC does not apply ACLs to the "wired" side of the interfaces.  For instance an ACL permitting or denying traffic "inbound" is not being applied to traffic coming "in" to the dynamic interface from your wire.

Inbound is traffic from wireless clients "in" to the WLC, and outbound rules are from the WLC "out" to the wireless client.

So as far as "client traffic" flow.

1. An AP discovers/joins (building CAPWAP tunnel via UDP 5246/5247).  You "could" build ACLs on your DS to "only" permit this type of traffic; if you really "want".

2. Client's connected to that AP will have their traffic passed through that same tunnel where by it is processed once it "arrives" at the WLC.  The WLC will then egress the traffic out of the applicable interface for that WLAN.

So it you want to block "client" traffic; you can either perform the config at the L3 gateways for the applicable networks or you "can" build the ACL at the WLC, however I would suggest doing this on your wired network for more control and less impact to system resources of the WLC.

For instance, perhaps you have wireless clients on the 192.168.1.0/24 network.  You want to "permit" these clients to reach a server on your wired network (10.10.10.10 and all protocols, for this example) as well as allow internet traffic; however they should not reach anythign else.

I've done it using both "directions" so you can see the flow; rather than "any" direction.  See how the "in/out" is almost backwards.

Hope that helps a little.

Cheers,

David W.

New Member

Help understanding differences of ACLs on 2106 vs ACLs on 4506

Thanks for the explanation, it has helped me to understand how the the ACLs are applied....or really the WLCs concept of "flow".  I've moved the ACLs to the 4506 and have set the ACLs on the 2106 to allow everything for now.  I'm just more comfortable configuring ACLs on "real" switches.

Now for another question...

I'm trying to understand how trunking and CAPWAP tunnels work together.  I have the following setup:

Mgmt:vlan 20:192.168.20.0/24

guest:vlan 21:192.168.21.0/24

secure:vlan 22:192.168.22.9/24

All have gateway of .1 on corresponding vlan interface on 4506.

DHCP running on each vlan on the 4506

Trunk to APs and to WLC port 1, native vlan 20, allowed 20-22

So the AP boots up and does dhcp over the native (untagged) vlan 20 and gets an ip from the 4506, it then sets up a CAPWAP tunnel over the same vlan to the WLC and learns it's wlan interfaces. So now when a wireless client connects to the guest ssid, does the traffic go across the trunk from the AP as tagged vlan21 traffic to the WLC and then to the 4506, or does it flow over the CAPWAP tunnel across the 20 vlan to the WLC and then placed on the 21 vlan when leaving the WLC destined for the 4506? Or does it just get dumped on the 21 vlan direct from the AP to the 4506 without ever flowing through the WLC?

Obviously I'm not familiar with Cisco wireless....but I'm trying to wrap my brain around it!

Thanks for your help.

Bronze

Re: Help understanding differences of ACLs on 2106 vs ACLs on 45

A local mode AP joined to a WLC should only be used on an "access" port.  It's not required, but strongly suggested.

If you used a trunk, then yes the AP would boot up an get an IP on the "native" vlan specified on that trunk port.  This is the "only" VLAN the AP will be using.  The AP itself doesn't communicate on the other VLANs, regardless what VLAN the "client" is on.  "ALL" client traffic is encapsulated in the CAPWAP tunnel from the AP to the WLC (over that native vlan, or whichever VLAN you specify on an access port).  Once the traffic arrives at the WLC, only "then" will the traffic be distributed on it's applicable interface/VLAN.

So the Local Mode LAP is only on "one" VLAN; no need for the trunk.  Again; "all" client traffic traverses the CAPWAP tunnel; where it is then processed centrally by the WLC.

Please mark your question answered if that's what you were looking for on the ACLs.

Thanks,
David W.

469
Views
0
Helpful
3
Replies