Introduction

In this document we will see how to make the access control list for a wireless LAN controller.

Configure a WLC-ACL

Template sentence that one must be able to fill-in, for both directions, before even trying to configure a WLC-ACL:

For a given direction

An attempt

(a) should be denied/blocked
(b) from whom ?
(c) in which network?
(d) to   whom ?
(e) in which network?
(f) for what (to ping or what )
(g) while going towards which direction (wired or wireless) w.r.t WLC

For the opposite direction

An attempt

(a) should be denied/blocked
(b) from whom ?
(c) in which network?
(d) to whom ?
(e) in which network?
(f) for what (to ping or what )
(g) while going towards which direction (wired or wireless) w.r.t WLC

Questions about Interesting Traffic

Every WLC-ACL should answer three queries about the Interesting Traffic:

• - what to do for the inbound traffic ?
• - what to do for the outbound traffic ?
• - what to do for the concept of Implicit Deny All, which is at the end of each ACL

To understand this, lets read the following:

What are ACLs?

• -WLC ACLs can be used to permit/allow/accept or deny/block/reject traffic at layer 4 (ports) or at layer 3 (ip addresses) between either specific host(s)/subnet(s) . Should note that Ports can either be named or numbered.
• -WLC ACLs can be used to focus at (1)unicast (2)non-DHCP (3)IP traffic

What kind of ACLs?

if ( ACL : Interface | CPU )  {Per WLAN ACL will override the interface ACL}

[?] For which scenarios,  ACLs can be used ?
[=]
FlexConnect
Web Authentication

Direction is w.r.t  the WLC :

'in' bound IP Packets destined 'in' -bound, towards the Wireless LAN Controller

(sourced from the Wireless Client)

'out'bound IP Packets destined 'out'-bound, towards the wireless client       

(sourced from the Wireless LAN Controller)    

It means:

W/l client  TO   AP            : INBOUND
AP            TO   W/l client  : OUTBOUND

In other words,

if ACL is focussing at the traffic, going INside  the wired network, the ACL must have the direction IN bound (from the client to the WLC)
if ACL is focussing at the traffic, going OUTside the wired network, the ACL must have the direction OUTbound (from the WLC    to the client)

It is for this reason that, to configure WLC-ACLs,
  if we   make an ACL in INbound  direction, for a specific traffic,
  we must make an ACL in OUTbound direction, for that same specific traffic.

Also, since we have a 'deny all' at the end of a given ACL, we need to permit the flows (in both directions) , which we may want to allow

So,
Direction of Normal     ACLs:
------------------------
Ingress : AP     >----any data-----> Switch
Egress  : Switch->----any data-----> AP

Direction of FlexConnect ACLs:(just the opposite)
------------------------
Egress : AP     >----any data-----> Switch
Ingress: Switch->----any data-----> AP

 Flexconnect ACL those would be applied until the client is authenticated.

Example

Example 1: How to ensure that 10.10.14.0/24  (wireless client's subnet) should not able to ping 10.10.205.20 (a host) but any other network
((( say (192.168.1.0/24) (wired) )))

(So, in this case, the specific traffic is between the wireless network and the wired host)
(So, we will have to make ACL for INbound and OUTbound traffic for this traffic)

[=]

(Ping is a two step process. We send Echo Request and expect "Echo Response"/Reply. Having said that, if we ensure , we do not get Echo Response/Reply, ping won't work (this is what we want))

[ Hint 1: Echo "Response packet" should not be able to travel from    (   Wired  )     to     ( Wireless  ) ]
[ Hint 2: This command should give RTO messages ---------->   ping      10.10.14.x      source   WiredVLAN  ]
[ Hint 3: This command should give RTO messages ---------->   ping      10.10.14.'10'   source   'lo'0 ]

where,
10.10.14.'10' is an ip address of a host        in the wireless network
'lo'0         is a loopback interface representing the wired  network        

For INbound  direction: (while going inside the wired network)

Step One   : "Wireless clients should not be able to ping the specific host "
Step Two   : "Wireless clients should     be able to ping all of the rest   "

For OUTbound direction: (while going outside the wired network)

Step Three : "Anyone from any network should be able to ping to the wireless network"

Last Step:

Step Four : Concept of Deny All

How to Configure ACL

To configure the ACL, lets go through the following steps:

Step One

=========

Please find the image attached, where is shown the ACL in GUI, and read the following in the order as listed to make sense of the WLC ACL:

An attempt

(a) should be denied/blocked
(b) from anyone
(c) from the wireless network
(d) to the wired host
(e) to ping
(f) while going towards the wired network (inbound towards WLC)

Step Two

========

Since, any Deny should be followed by Permit statement (because, if do not do so, everything else also gets denied, due to the implicit 'deny all' concept),
Hence, we need to ensure that rest of subsequent traffic must be allowed/permitted.

All rest of the attempts

(a) should be permitted/allowed
(b) from anyone
(c) from the wireless network
(d) to anyone
(e) of any network
(f) to ping
(g) while going towards the wired network (inbound towards WLC)
    

Step Three
==========

An attempt

(a) should be permitted/allowed
(b) from anyone
(c) from any network
(d) to anyone
(e) in the wireless network
(f) to ping
(g) while going outside the wired network (outbound from WLC)

Step Four
==========

We are now just left to implement the concept of Implicit Deny All (as mentioned at the beginning of the document).

An attempt

(a) should be permitted/allowed
(b) from anyone
(c) from any network
(d) to anyone
(e) in any network
(f) to ping
(g) while going in ANY direction (be it INbound or OUTbound w.r.t the WLC)