03-11-2014 02:51 PM - edited 11-18-2020 03:06 AM
In this document we will see how to make the access control list for a wireless LAN controller.
Template sentence that one must be able to fill-in, for both directions, before even trying to configure a WLC-ACL:
For a given direction
An attempt
(a) should be denied/blocked (b) from whom ? (c) in which network? (d) to whom ? (e) in which network? (f) for what (to ping or what ) (g) while going towards which direction (wired or wireless) w.r.t WLC
For the opposite direction
An attempt
(a) should be denied/blocked (b) from whom ? (c) in which network? (d) to whom ? (e) in which network? (f) for what (to ping or what ) (g) while going towards which direction (wired or wireless) w.r.t WLC
Every WLC-ACL should answer three queries about the Interesting Traffic:
To understand this, lets read the following:
if ( ACL : Interface | CPU ) {Per WLAN ACL will override the interface ACL}
[?] For which scenarios, ACLs can be used ?
[=]
FlexConnect
Web Authentication
Direction is w.r.t the WLC :
'in' bound IP Packets destined 'in' -bound, towards the Wireless LAN Controller
(sourced from the Wireless Client)
'out'bound IP Packets destined 'out'-bound, towards the wireless client
(sourced from the Wireless LAN Controller)
It means:
W/l client TO AP : INBOUND
AP TO W/l client : OUTBOUND
In other words,
if ACL is focussing at the traffic, going INside the wired network, the ACL must have the direction IN bound (from the client to the WLC)
if ACL is focussing at the traffic, going OUTside the wired network, the ACL must have the direction OUTbound (from the WLC to the client)
It is for this reason that, to configure WLC-ACLs,
if we make an ACL in INbound direction, for a specific traffic,
we must make an ACL in OUTbound direction, for that same specific traffic.
Also, since we have a 'deny all' at the end of a given ACL, we need to permit the flows (in both directions) , which we may want to allow
So,
Direction of Normal ACLs:
------------------------
Ingress : AP >----any data-----> Switch
Egress : Switch->----any data-----> AP
Direction of FlexConnect ACLs:(just the opposite)
------------------------
Egress : AP >----any data-----> Switch
Ingress: Switch->----any data-----> AP
Flexconnect ACL those would be applied until the client is authenticated.
Example 1: How to ensure that 10.10.14.0/24 (wireless client's subnet) should not able to ping 10.10.205.20 (a host) but any other network
((( say (192.168.1.0/24) (wired) )))
(So, in this case, the specific traffic is between the wireless network and the wired host)
(So, we will have to make ACL for INbound and OUTbound traffic for this traffic)
[=]
(Ping is a two step process. We send Echo Request and expect "Echo Response"/Reply. Having said that, if we ensure , we do not get Echo Response/Reply, ping won't work (this is what we want))
[ Hint 1: Echo "Response packet" should not be able to travel from ( Wired ) to ( Wireless ) ]
[ Hint 2: This command should give RTO messages ----------> ping 10.10.14.x source WiredVLAN ]
[ Hint 3: This command should give RTO messages ----------> ping 10.10.14.'10' source 'lo'0 ]
where,
10.10.14.'10' is an ip address of a host in the wireless network
'lo'0 is a loopback interface representing the wired network
For INbound direction: (while going inside the wired network)
Step One : "Wireless clients should not be able to ping the specific host "
Step Two : "Wireless clients should be able to ping all of the rest "
For OUTbound direction: (while going outside the wired network)
Step Three : "Anyone from any network should be able to ping to the wireless network"
Last Step:
Step Four : Concept of Deny All
To configure the ACL, lets go through the following steps:
Step One
=========
Please find the image attached, where is shown the ACL in GUI, and read the following in the order as listed to make sense of the WLC ACL:
An attempt
(a) should be denied/blocked
(b) from anyone
(c) from the wireless network
(d) to the wired host
(e) to ping
(f) while going towards the wired network (inbound towards WLC)
Step Two
========
Since, any Deny should be followed by Permit statement (because, if do not do so, everything else also gets denied, due to the implicit 'deny all' concept),
Hence, we need to ensure that rest of subsequent traffic must be allowed/permitted.
All rest of the attempts
(a) should be permitted/allowed (b) from anyone (c) from the wireless network (d) to anyone (e) of any network (f) to ping (g) while going towards the wired network (inbound towards WLC)
Step Three
==========
An attempt
(a) should be permitted/allowed (b) from anyone (c) from any network (d) to anyone (e) in the wireless network (f) to ping (g) while going outside the wired network (outbound from WLC)
Step Four
==========
We are now just left to implement the concept of Implicit Deny All (as mentioned at the beginning of the document).
An attempt
(a) should be permitted/allowed (b) from anyone (c) from any network (d) to anyone (e) in any network (f) to ping (g) while going in ANY direction (be it INbound or OUTbound w.r.t the WLC)
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: