Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ACL for File Sharing WLC 5508

Hello,

I'm planning to make some restriction on our network from WiFi network to our Server vLAN to block everything but allow certain resources.

I have created ACLs in the WLC 5508, but I can't make it work. Any help would be appreciated.

                       Source                         Destination                 Source Port  Dest Port

Index  Dir       IP Address/Netmask               IP Address/Netmask       Prot    Range       Range    DSCP  Action      Counter

------ --- ------------------------------- ------------------------------- ---- ----------- ----------- ----- ------- -----------

     1 Out   192.168.10.11/255.255.255.255      10.10.14.0/255.255.255.0     17     0-65535   138-138    Any Permit           0

     2 Any         0.0.0.0/0.0.0.0                 0.0.0.0/0.0.0.0            6   138-138     138-138    Any Permit           0

     3  In      10.10.14.0/255.255.255.0     192.168.10.11/255.255.255.255    6     0-65535   445-445    Any Permit           0

     4 Out   192.168.10.11/255.255.255.255      10.10.14.0/255.255.255.0      6     0-65535   445-445    Any Permit           0

     5  In      10.10.14.0/255.255.255.0     192.168.10.11/255.255.255.255   17     0-65535   139-139    Any Permit           0

     6 Out   192.168.10.11/255.255.255.255      10.10.14.0/255.255.255.0     17     0-65535   139-139    Any Permit           0

     7 Any      10.10.14.0/255.255.255.0     192.168.10.11/255.255.255.255    6     0-65535    80-80     Any Permit           0

     8 Out   192.168.10.11/255.255.255.255      10.10.14.0/255.255.255.0      6     0-65535    80-80     Any Permit           0

     9  In      10.10.14.0/255.255.255.0     192.168.10.11/255.255.255.255    1     0-65535     0-65535  Any Permit           0

    10 Out   192.168.10.11/255.255.255.255      10.10.14.0/255.255.255.0      1     0-65535     0-65535  Any Permit           0

    11  In      10.10.14.0/255.255.255.0     192.168.10.11/255.255.255.255    6   135-135     135-135    Any Permit           0

    12 Out   192.168.10.11/255.255.255.255      10.10.14.0/255.255.255.0      6   135-135     135-135    Any Permit           0

    13  In      10.10.14.0/255.255.255.0     192.168.10.11/255.255.255.255    6   139-139     139-139    Any Permit           0

    14  In         0.0.0.0/0.0.0.0                 0.0.0.0/0.0.0.0            6   137-137     137-137    Any Permit           0

    15 Out         0.0.0.0/0.0.0.0                 0.0.0.0/0.0.0.0            6   137-137     137-137    Any Permit           0

    16 Any         0.0.0.0/0.0.0.0                 0.0.0.0/0.0.0.0            6     0-65535    80-80     Any Permit           6

    17 Out   192.168.10.11/255.255.255.255      10.10.14.0/255.255.255.0      6   139-139     139-139    Any Permit           0

    18 Any         0.0.0.0/0.0.0.0          192.168.10.215/255.255.255.255    6     0-65535     0-65535  Any Permit           0

    19 Any  192.168.10.215/255.255.255.255         0.0.0.0/0.0.0.0            6     0-65535     0-65535  Any Permit           0

7 REPLIES
Hall of Fame Super Gold

Re: ACL for File Sharing WLC 5508

Wrong place to put ACL. Put the ACL on the router not on the WLC.

Sent from Cisco Technical Support Nintendo App

New Member

ACL for File Sharing WLC 5508

Hi Leo,

I don't have router other than two for Internet at the Edge of the Network.

Any other suggesion?

Thanks,

Hall of Fame Super Silver

Re: ACL for File Sharing WLC 5508

You must have a switch doing layer 3 correct? If so, put it there.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
Hall of Fame Super Gold

Re: ACL for File Sharing WLC 5508

I agree with Scott. Whoever is the default gateway of your dynamic interface, that's where you put the ACL.

Using a Layer 3 appliance to do ACL is perfect because the WLC simply is NOT designed to do complicated ACL like what you're asking.

Sent from Cisco Technical Support Nintendo App

New Member

Re: ACL for File Sharing WLC 5508

Thanks for your suggestion, I was thinking in the wrong direction about ACLs in the WLC.

Controllers are connected to the Core Switch directly, with vLANs are mapped to the WLC ports. Is recommended to do ACLs on the Core as its the one who responsible of all the vLANs? Or install a nother firewall device or Virtual Appliance "for testing" in between the Core or into the Core directly and create the ACLs in there?

The network infrastructure consist of Two Cores connected via MLT, two ASA 5525 FW, two high-end Nortel Switches, two Alteon Application Switchs for Load Balancing and two WAN routers as we have two ISPs.

Regards,

Hall of Fame Super Gold

ACL for File Sharing WLC 5508

Controllers are connected to the Core Switch directly, with vLANs are mapped to the WLC ports. Is recommended to do ACLs on the Core as its the one who responsible of all the vLANs

My rule-of-thumb is the default gateway of the dynamic interface of your SSID.  Wherever is the default gateway, this is where you stick your ACL.  

Or install a nother firewall device or Virtual Appliance "for testing" in between the Core or into the Core directly and create the ACLs in there?

Ideally, FW is the best because FW are designed to do deep-packet inspection.  If you don't have a FW, then ACL will be just as fine. 

Cisco Employee

ACL for File Sharing WLC 5508

guess u need atleast one deny entry, it seem u r allowing everything. check wlc acl guide for guidelines.

227
Views
0
Helpful
7
Replies
CreatePlease to create content