Cisco Wireless LAN Controller Configuration Guide, Release 7.5
Configuring and Applying Access Control Lists
Downloads: This chapterpdf (PDF - 1.28MB) The complete bookPDF (PDF - 17.88MB) | The complete bookePub (ePub - 4.41MB) | Feedback

Configuring and Applying Access Control Lists

Contents

Configuring and Applying Access Control Lists

Information About Access Control Lists

An Access Control List (ACL) is a set of rules used to limit access to a particular interface (for example, if you want to restrict a wireless client from pinging the management interface of the controller). After ACLs are configured on the controller, they can be applied to the management interface, the AP-manager interface, any of the dynamic interfaces, or a WLAN to control data traffic to and from wireless clients or to the controller central processing unit (CPU) to control all traffic destined for the CPU.

You may also want to create a preauthentication ACL for web authentication. Such an ACL could be used to allow certain types of traffic before authentication is complete.

Both IPv4 and IPv6 ACL are supported. IPv6 ACLs support the same options as IPv4 ACLs including source, destination, source and destination ports.


Note


You can enable only IPv4 traffic in your network by blocking IPv6 traffic. That is, you can configure an IPv6 ACL to deny all IPv6 traffic and apply it on specific or all WLANs.


Restrictions for Access Control Lists

  • You can define up to 64 ACLs, each with up to 64 rules (or filters) for both IPv4 and IPv6. Each rule has parameters that affect its action. When a packet matches all of the parameters for a rule, the action set for that rule is applied to the packet.
  • When you apply CPU ACLs on a Cisco 5500 Series Controller or a Cisco WiSM2, you must permit traffic towards the virtual interface IP address for web authentication.
  • All ACLs have an implicit “deny all rule” as the last rule. If a packet does not match any of the rules, it is dropped by the controller.
  • If you are using an external web server with a Cisco 5500 Series Controller or a controller network module, you must configure a preauthentication ACL on the WLAN for the external web server.
  • If you apply an ACL to an interface or a WLAN, wireless throughput is degraded when downloading from a 1-GBps file server. To improve throughput, remove the ACL from the interface or WLAN, move the ACL to a neighboring wired device with a policy rate-limiting restriction, or connect the file server using 100 Mbps rather than 1 Gbps.
  • Multicast traffic received from wired networks that is destined to wireless clients is not processed by WLC ACLs. Multicast traffic initiated from wireless clients, destined to wired networks or other wireless clients on the same controller, is processed by WLC ACLs.
  • ACLs are configured on the controller directly or configured through Cisco Prime Infrastructure templates. The ACL name must be unique.
  • You can configure ACL per client (AAA overridden ACL) or on either an interface or a WLAN. The AAA overridden ACL has the highest priority. However, each interface, WLAN, or per client ACL configuration that you apply can override one another.
  • If peer-to-peer blocking is enabled, traffic is blocked between peers even if the ACL allows traffic between them.
  • Authentication traffic has to go through the Cisco WLC for this feature to be supported, even if DNS-based ACL is local to the AP.

Configuring and Applying Access Control Lists (GUI)

Configuring Access Control Lists


    Step 1   Choose Security > Access Control Lists > Access Control Lists to open the Access Control Lists page.
    Step 2   If you want to see if packets are hitting any of the ACLs configured on your controller, select the Enable Counters check box and click Apply. Otherwise, leave the check box unselected, which is the default value. This feature is useful when troubleshooting your system.
    Note   

    If you want to clear the counters for an ACL, hover your cursor over the blue drop-down arrow for that ACL and choose Clear Counters.

    Step 3   Add a new ACL by clicking New. The Access Control Lists > New page appears.
    Step 4   In the Access Control List Name text box, enter a name for the new ACL. You can enter up to 32 alphanumeric characters.
    Step 5   Choose the ACL type. There are two types of ACL supported, IPv4 and IPv6.
    Step 6   Click Apply. When the Access Control Lists page reappears, click the name of the new ACL.
    Step 7   When the Access Control Lists > Edit page appears, click Add New Rule. The Access Control Lists > Rules > New page appears.
    Step 8   Configure a rule for this ACL as follows:
    1. The controller supports up to 64 rules for each ACL. These rules are listed in order from 1 to 64. In the Sequence text box, enter a value (between 1 and 64) to determine the order of this rule in relation to any other rules defined for this ACL.
      Note   

      If rules 1 through 4 are already defined and you add rule 29, it is added as rule 5. If you add or change a sequence number for a rule, the sequence numbers for other rules adjust to maintain a continuous sequence. For instance, if you change a rule’s sequence number from 7 to 5, the rules with sequence numbers 5 and 6 are automatically reassigned as 6 and 7, respectively.

    2. From the Source drop-down list, choose one of these options to specify the source of the packets to which this ACL applies:
      • Any—Any source (this is the default value).
      • IP Address—A specific source. If you choose this option, enter the IP address and netmask of the source in the text boxes. If you are configuring IPv6 ACL, enter the IPv6 address and prefix length of the destination in the text boxes.
    3. From the Destination drop-down list, choose one of these options to specify the destination of the packets to which this ACL applies:
      • Any—Any destination (this is the default value).
      • IP Address—A specific destination. If you choose this option, enter the IP address and netmask of the destination in the text boxes. If you are configuring IPv6 ACL, enter the IPv6 address and prefix length of the destination in the text boxes.
    4. From the Protocol drop-down list, choose the protocol ID of the IP packets to be used for this ACL. These are the protocol options:
      • Any—Any protocol (this is the default value)
      • TCP—Transmission Control Protocol
      • UDP—User Datagram Protocol
      • ICMP/ICMPv6—Internet Control Message Protocol
        Note    ICMPv6 is only available for IPv6 ACL.
      • ESP—IP Encapsulating Security Payload
      • AH—Authentication Header
      • GRE—Generic Routing Encapsulation
      • IP in IP—Internet Protocol (IP) in IP (permits or denies IP-in-IP packets)
      • Eth Over IP—Ethernet-over-Internet Protocol
      • OSPF—Open Shortest Path First
      • Other—Any other Internet Assigned Numbers Authority (IANA) protocol
        Note   

        If you choose Other, enter the number of the desired protocol in the Protocol text box. You can find the list of available protocols in the INAI website.

      The controller can permit or deny only IP packets in an ACL. Other types of packets (such as ARP packets) cannot be specified.
    5. If you chose TCP or UDP in the previous step, two additional parameters appear: Source Port and Destination Port. These parameters enable you to choose a specific source port and destination port or port ranges. The port options are used by applications that send and receive data to and from the networking stack. Some ports are designated for certain applications such as Telnet, SSH, HTTP, and so on.
      Note   

      Source and Destination ports based on the ACL type.

    6. From the DSCP drop-down list, choose one of these options to specify the differentiated services code point (DSCP) value of this ACL. DSCP is an IP header text box that can be used to define the quality of service across the Internet.
      • Any—Any DSCP (this is the default value)
      • Specific—A specific DSCP from 0 to 63, which you enter in the DSCP edit box
    7. From the Direction drop-down list, choose one of these options to specify the direction of the traffic to which this ACL applies:
      • Any—Any direction (this is the default value)
      • Inbound—From the client
      • Outbound—To the client
      Note   

      If you are planning to apply this ACL to the controller CPU, the packet direction does not have any significance, it is always ‘Any’.

    8. From the Action drop-down list, choose Deny to cause this ACL to block packets or Permit to cause this ACL to allow packets. The default value is Deny.
    9. Click Apply to commit your changes. The Access Control Lists > Edit page reappears, showing the rules for this ACL. The Deny Counters fields shows the number of times that packets have matched the explicit deny ACL rule. The Number of Hits field shows the number of times that packets have matched an ACL rule. You must enable ACL counters on the Access Control Lists page to enable these fields.
      Note   

      If you want to edit a rule, click the sequence number of the desired rule to open the Access Control Lists > Rules > Edit page. If you want to delete a rule, hover your cursor over the blue drop-down arrow for the desired rule and choose Remove.

    10. Repeat this procedure to add any additional rules for this ACL.
    Step 9   Click Save Configuration to save your changes.
    Step 10   Repeat this procedure to add any additional ACLs.

    Applying an Access Control List to an Interface


      Step 1   Choose Controller > Interfaces.
      Step 2   Click the name of the desired interface. The Interfaces > Edit page for that interface appears.
      Step 3   Choose the desired ACL from the ACL Name drop-down list and click Apply. The default is None.
      Note    Only IPv4 ACL are supported as interface ACL.
      Step 4   Click Save Configuration to save your changes.

      Applying an Access Control List to the Controller CPU


        Step 1   Choose Security > Access Control Lists > CPU Access Control Lists to open the CPU Access Control Lists page.
        Step 2   Select the Enable CPU ACL check box to enable a designated ACL to control the traffic to the controller CPU or unselect the check box to disable the CPU ACL feature and remove any ACL that had been applied to the CPU. The default value is unselected.
        Step 3   From the ACL Name drop-down list, choose the ACL that will control the traffic to the controller CPU. None is the default value when the CPU ACL feature is disabled. If you choose None while the CPU ACL Enable check box is selected, an error message appears indicating that you must choose an ACL.
        Note   

        This parameter is available only if you have selected the CPU ACL Enable check box.

        Note   

        When CPU ACL is enabled, it is applicable to both wireless and wired traffic. Only IPv4 ACL are supported as CPU ACL.

        Step 4   Click Apply to commit your changes.
        Step 5   Click Save Configuration to save your changes.

        Applying an Access Control List to a WLAN


          Step 1   Choose WLANs to open the WLANs page.
          Step 2   Click the ID number of the desired WLAN to open the WLANs > Edit page.
          Step 3   Choose the Advanced tab to open the WLANs > Edit (Advanced) page.
          Step 4   From the Override Interface ACL drop-down list, choose the IPv4 or IPv6 ACL that you want to apply to this WLAN. The ACL that you choose overrides any ACL that is configured for the interface. None is the default value.
          Note   

          To support centralized access control through AAA server such as ISE or ACS, IPv6 ACL must be configured on the controller and the WLAN must be configured with AAA override enabled feature.

          Step 5   Click Apply.
          Step 6   Click Save Configuration.

          Applying a Preauthentication Access Control List to a WLAN


            Step 1   Choose WLANs to open the WLANs page.
            Step 2   Click the ID number of the desired WLAN to open the WLANs > Edit page.
            Step 3   Choose the Security and Layer 3 tabs to open the WLANs > Edit (Security > Layer 3) page.
            Step 4   Select the Web Policy check box.
            Step 5   From the Preauthentication ACL drop-down list, choose the desired ACL and click Apply. None is the default value.
            Step 6   Click Save Configuration to save your changes.

            Configuring and Applying Access Control Lists (CLI)

            Configuring Access Control Lists


              Step 1   See all of the ACLs that are configured on the controller by entering this command:

              show [ipv6] acl summary

              Step 2   See detailed information for a particular ACL by entering this command: show [ipv6] acl detailed acl_name

              
The Counter text box increments each time a packet matches an ACL rule, and the DenyCounter text box increments each time a packet does not match any of the rules.

              Note   

              If a traffic/request is allowed from the controller by a permit rule, then the response to the traffic/request in the opposite direction also is allowed and cannot be blocked by a deny rule in the ACL.

              Step 3   Enable or disable ACL counters for your controller by entering this command:

              config acl counter {start | stop}

              Note   

              If you want to clear the current counters for an ACL, enter the clear acl counters acl_name command.

              Step 4   Add a new ACL by entering this command: config [ipv6] acl create acl_name.

              You can enter up to 32 alphanumeric characters for the acl_name parameter.

              Note   

              When you try to create an interface name with space, the controller CLI does not create an interface. For example, if you want to create an interface name int 3, the CLI will not create this since there is a space between int and 3. If you want to use int 3 as the interface name, you need to enclose within single quotes like ‘int 3’.

              Step 5   Add a rule for an ACL by entering this command: config [ipv6] acl rule add acl_name rule_index
              Step 6   Configure an ACL rule by entering config [ipv6] acl rule command:
              Step 7   Save your settings by entering this command:

              save config

              Note   

              To delete an ACL, enter the config [ipv6] acl delete acl_name command. To delete an ACL rule, enter the config [ipv6] acl rule delete acl_name rule_index command.


              Applying Access Control Lists


                Step 1   Perform any of the following:
                • To apply an ACL to the data path, enter this command:

                  config acl apply acl_name

                • To apply an ACL to the controller CPU to restrict the type of traffic (wired, wireless, or both) reaching the CPU, enter this command:

                  config acl cpu acl_name {wired | wireless | both}

                  Note   

                  To see the ACL that is applied to the controller CPU, enter the show acl cpu command. To remove the ACL that is applied to the controller CPU, enter the config acl cpu none command.

                  Note    For 2504 and 4400 series WLC, the CPU ACL cannot be used to control the CAPWAP traffic. Use the access-list on the network to control CAPWAP traffic.
                • To apply an ACL to a WLAN, enter this command:

                  config wlan acl wlan_id acl_name

                  Note   

                  To see the ACL that is applied to a WLAN, enter the show wlan wlan_id command. To remove the ACL that is applied to a WLAN, enter the config wlan acl wlan_id none command.

                • To apply a preauthentication ACL to a WLAN, enter this command:

                  config wlan security web-auth acl wlan_id acl_name

                Step 2   Save your changes by entering this command: save config

                Configuring Layer 2 Access Control Lists

                Information About Configuring Layer 2 Access Control Lists

                You can configure rules for Layer 2 access control lists (ACLs) based on the Ethertype associated with the packets. Using this feature, if a WLAN with central switching is required to support only PPPoE clients, you can apply Layer 2 ACL rules on the WLAN to allow only PPPoE packets after the client is authenticated and the rest of the packets are dropped. Similarly, if the WLAN is required to support only IPv4 clients or only IPv6 clients, you can apply Layer 2 ACL rules on the WLAN to allow only IPv4 or IPv6 packets after the client is authenticated and the rest of the packets are dropped. For a locally-switched WLAN, you can apply the same Layer 2 ACL either for the WLAN or a FlexConnect AP. AP-specific Layer 2 ACLs can be configured only on FlexConnect APs. This is applicable only for locally-switched WLANs. The Layer 2 ACL that is applied to the FlexConnect AP takes precedence over the Layer 2 ACL that is applied to the WLAN.

                In a mobility scenario, the mobility anchor configuration is applicable.

                The following traffic is not blocked:
                • Wireless traffic for wireless clients:
                  • 802.1X
                  • Inter-Access Point Protocol
                  • 802.11
                  • Cisco Discovery Protocol
                • Traffic from a distributed system:
                  • Broadcast
                  • Multicast
                  • IPv6 Neighbor Discovery Protocol (NDP)
                  • Address Resolution Protocol (ARP) and Gratuitous ARP Protection (GARP)
                  • Dynamic Host Configuration Protocol (DHCP)
                  • Domain Name System (DNS)

                Layer 2 ACL Mapping to WLAN

                If you map a Layer 2 ACL to a WLAN, the Layer 2 ACL rules that you configure apply to all the clients that are associated with that WLAN.

                When you map a Layer 2 ACL to a centrally switched WLAN, the rule to pass traffic based on the Ethertype is determined by Fast-Path for every client that is associated with the WLAN. Fast-Path looks into the Ethernet headers associated with the packets and forwards the packets whose Ethertype matches with the one that is configured for the ACL.

                When you map a Layer 2 ACL to a locally switched WLAN, the rule to pass traffic based on the Ethertype is determined by the forwarding plane of the AP for every client that is associated with the WLAN. The AP forwarding plane looks into the Ethernet headers associated with the packets and forwards or denies the packets based on the action whose Ethertype matches with the one that is configured for the ACL.

                Restrictions for Layer 2 Access Control Lists

                • You can create a maximum of 16 rules for a Layer 2 ACL.
                • AP-specific Layer 2 ACLs can be configured only on FlexConnect APs. This is applicable only for locally-switched WLANs.
                • You can create a maximum of 64 Layer2 ACLs on a controller.
                • A maximum of 16 Layer 2 ACLs are supported per AP because an AP supports a maximum of 16 WLANs.
                • Ensure that the Layer 2 ACL names do not conflict with the FlexConnect ACL names because an AP does not support the same Layer 2 and Layer3 ACL names.

                Configuring Layer 2 Access Control Lists (CLI)

                • config acl layer2 {create | delete} acl-name—Creates or deletes a Layer 2 ACL.

                • config acl layer2 apply acl-name—Applies a Layer 2 ACL to a data path.

                • config acl layer2 rule {add | delete} acl-rule-name index—Creates or deletes a Layer 2 ACL rule.

                • config acl layer2 rule change index acl-rule-name old-index new-index—Changes the index of a Layer 2 ACL rule.

                • config acl layer2 rule action acl-rule-name index {permit | deny}—Configures an action for a rule.

                • config acl layer2 rule etherType name index ether-type-number-in-hex ether-type-mask-in-hex—Configures the destination IP address and netmask for a rule.

                • config acl layer2 rule swap index acl-rule-name index-1 index-2—Swaps the index values of two rules.

                • config acl counter {start | stop}—Starts or stops the ACL counter. This command is applicable for all types of ACLs. In an HA environment, the counters are not synchronized between the active and standby controllers.

                • show acl layer2 summary—Shows a summary of the Layer 2 ACL profiles.

                • show acl layer2 detailed acl-name—Shows a detailed description of the Layer 2 ACL profile specified.

                • show client detail client-mac-addr—Shows the Layer 2 ACL rule that is applied to the client.

                Mapping of Layer 2 ACLs with WLANs (CLI)

                This is applicable to centrally switched WLANs and locally switched WLANs without FlexConnect access points.

                • config wlan layer2 acl wlan-id acl-name—Maps a Layer 2 ACL to a centrally switched WLAN.

                • config wlan layer2 acl wlan-id none—Clears the Layer 2 ACLs mapped to a WLAN.

                • show wlan wlan-id—Shows the status of a Layer 2 ACL that is mapped to a WLAN.

                Mapping of Layer 2 ACLs with Locally Switched WLANs Using FlexConnect Access Points (CLI)

                This is applicable to locally switched WLANs that have FlexConnect access points.

                • config ap flexconnect wlan l2acl add wlan-id ap-name acl-name—Maps a Layer 2 ACL to a locally switched WLAN.

                • config ap flexconnect wlan l2acl delete wlan-id ap-name—Deletes the mapping.

                • show ap config general ap-name—Shows the details of the mapping.