In this post we will learn how to use ACL on WLC.
As we all know that we use ACL to prohibit/restrict the access from specific clients.
Mostly we use two type of ACL:
- CPU (Be careful before assigning)
- WLAN/Interface Based ACL
- Pre-Authentication ACL
Basic Info:
Limitations:
- We can configure max 64 filters with 64 rules.
- ACLs can impact the performance of the controller.
- ACLs can’t block access to the virtual IP address (1.1.1.1) of WLC. Therefore, DHCP cannot be blocked for wireless clients.
- ACLs do not affect the service port of the WLC.
- We can only block IP traffic
Parameter used in ACL:
Sequence: Here starts the order that ACL lines are processed against the packet. Even after creation of ACL with sequence number 1, we can replace it with new sequence. Means it also allows us to insert ACL lines anywhere in the ACL even after the ACL is created.
Source IP & Destination IP: Here we have to enter the host or subnet IP and mask (From & To, The masks of the ACL are not wild-masks but normal masks).
Protocol: We need to enter the Protocol to add this in IP packet header.
Here is the list of all which we can use: Any (all protocol numbers are matched)
TCP (6), UDP (17), ICMP (1), ESP (50), AH (51), GRE (47), IP (4), Eth Over IP (97), OSPF (89), Other (Specify)
Source & Destination Port: TCP or UDP can only be specified.
DSCP: Differentiated Services Code Point allows us to specify specific DSCP values to match in the IP packet header (Only 2 option available: Specific & Any).
Direction: Which direction to enforce: Inbound, Outbound and Any
Inbound: Packet sourced from the wireless client. (Client à WLC)
Outbound: Packets destined to the wireless client (Or from WLC à Client)
Any: Sourced from the wireless client and destined to the wireless client are inspected to see if they match the ACL line. We must apply to both Inbound & Outbound directions.
Action: Either Permit or Deny
Rules:
- We can only specify protocol numbers in the IP header (UDP, TCP, etc…) in ACL lines, because ACLs are restricted to IP packets only.
- If the source AND destination is any, then the direction is also ANY.
- If the source or destination is NOT any, then the direction must be specified.
- The direction is faced FROM the controller.
- Inbound: Wireless client To WLC
- Outbound: WLC To wireless client
- Remember that at last we have an implicit deny at the end.
Let’s start doing configuration.
First we will create an ACL and apply to either WLAN or Interface.
Login to WLC then Security > Access Control lists > Access Control lists, click on New.
Also check the Enable counter to see the statics.
CPU Access list
In my example:
- Block Telnet from a specific workstation on management interface
Workstation: 192.168.128.8
WLC2: 192.168.10.3
Create Access List and Apply it.
*** To remove this ACL either we have to uncheck “Enable CPU ACL” box or Via CLI we must use this command”config acl cpu none”. Remember this command if we stuck into the case where we can’t access WLC anymore then via console run this command to get the access back.
*** LWAPP/CAPWAP control traffic is not affected by CPU ACLs.
***By default Telnet is disabled on WLC, we must enable it for testing.(From Management > Telnet-SSH)
Here is my access List: We can see the hit numbers.
Apply it: Security > Access Control List > CPU Access List
How it looks in CLI:
(WLC2) >show acl cpu CPU Acl Name................................ TestACL Wireless Traffic............................ Enabled Wired Traffic............................... Enabled (WLC2) >show acl summary ACL Counter Status Enabled ---------------------------------------- IPv4 ACL Name Applied -------------------------------- ------- TestACL Yes ---------------------------------------- IPv6 ACL Name Applied -------------------------------- ------- (WLC2) >show acl detailed TestACL Source Destination Source Port Dest Port Index Dir IP Address/Netmask IP Address/Netmask Prot Range Range DSCP Action Counter ------ --- ------------------------------- ------------------------------- ---- ----------- ----------- ----- ------- ----------- 1 In 192.168.128.8/255.255.255.255 192.168.10.3/255.255.255.255 6 0-65535 23-23 Any Deny 3 2 Any 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 Any 0-65535 0-65535 Any Permit 14 DenyCounter : 0 URLs configured in this ACL --------------------------- (WLC2) >
WLAN / Interface ACL
Where to Apply:
- Under WLAN
- Under Dynamic interface
Preauthentication ACL
As its name suggest that this kind ACL is used before any authentication
We usually create this type of pre-authentication ACL for web authentication. Such an ACL could be used to allow certain types of traffic before authentication is complete.
Creation or write an ACL is same as we did in above section, so I will not repeat the same steps here.
Where we can apply this ACL:
- Go to WLANs > WLANs
- Click the ID number of the WLAN to open the WLANs > Edit
- Choose the Security and Layer 3 tabs to open the WLANs > Edit (Security > Layer 3) page
- Preauthentication ACL drop-down box, choose the desired ACL and click Apply
That’s all 🙂