Restrictions ACL for Wireless AP to WLC in HREAP Desgin Setup
Hello, Everyone I have Wireless HREAP setup in which the Wireless LAN Controllers (WLC) are located across the WAN in DataCenter while the Wireless Access Points (AP) are located within the branches, so setup is fine but as security requirement mandates that the APs VLAN in the branch should be restricted from accessing any thing except neccessary communication to WLC across the WAN so on the interface VLAN assigned for the APs in the branch i Applied an inbound ACL as below and it works fine but after some times my be days i found that the Access points are not present in the WLC GUI and it will appear only if i removed the ACL...............So question here what else is missing in my ACL which is neccessary for AP communication to WLC?
Actually the issue was due to the ACL, which was blocking the DHCP (how stupidly I overlooked that)
I have did the same command as you instructed and it reveal that AP has timed out, so I have enabled debugging on ACL to see what kindly of communication is going on and I found many communication which I was keep allowing it based try and error till I found this log that Some APs IP address are trying to communicate to the default VLAN gateway IP address on port 67 which is DHCP then I realized this is the issue.....
In brief....the APs are assigned to a dynamic VLAN (DHCP-enabled) so when I apply the old ACL, the APs already has obtained an IP addresses and they work fine with WLC, but when the DHCP lease timer expires, the APs try to send DHCP renew to the default gateway in which no ACE inside the ACL is matching so that request being denied and therefore doesn't get an IP address so it loses communication with the WLC....
So I added the following ACE at the end of the above ACL
permit udp host 0.0.0.0 any eq bootps
NowI will always remember.......Security comes with cost
Transferring Crash file from standby: Login to the Active WLC in HA.
From CLI: (Cisco Controller) >transfer upload datatype crash (Cisco
Controller) >transfer upload filename (Cisco
Controller) >transfer upload mode tftp (Cisco Controller) >transfer
This is the start of a display filter cross reference between Wireshark
and OmniPeek. The 1st installment is a table of advanced filters. More
filters will be added as time allows. It is a living doc, so check back
for changes every so often Please feel f...
I have created a Powershell script to automatically add a Wireless Guest
User on Cisco WLCs. (tested on 2500 Series) The script should be
completely self explanatory. Prerequisites: Powershell SNMP Module
(Install-Module -Name SNMP) SNMP Write Access to y...