ACL blocking traffic towards the management interface on WLC 5508
Hello All,
I need to apply an ACL in WLC 5508 such that it would allow https traffic on management interface only from selected clients.
For same, I have created an ACL permitting only the intended users while blocking the rest. Have applied the same on the management interface.
However still the access from all devices to management interface is not blocked. The ACL hit count too is not incremented.
I am on WLC code 8.0.110.0.
Has anyone else faced similar issue while applying ACL against management interface.
Highly appreciate the inputs.
Thanks and Regards,
Adnan
Hi Adnan,
you have to apply this ACL as a CPU ACL. Then it will work.
For your reference:
http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/109669-secure-wlc.html#t4
Hope that helps...
Kind regards
Philip
--> Pls rate useful responses <--
Similar Messages
-
What VLAN should the management interface be in on a 4400 controller?
Hi,
Some documentations put the management interface on a 4400 controller into a regular tagged VLAN. But some documentations put it in an untagged Native VLAN, the tag=0. What is the difference? Which configuration is optimal?
Thanks,
JustinThe answer is "it depends" :-)
I would not say any particular config is optimal though. If you have an established VLAN for management interfaces, I would use that. However if you put the management interface in the same VLAN as your AP's, AP's find your controllers easier. Otherwise you can use DHCP to point AP's to controllers.
I prefer to tag the frame as to which VLAN it belongs to, even if that is the same as the native VLAN. -
2950 - Changing the Management interface.
Hi Guys
I know the SI 2950's can't support more than 1 active SVI at any one time and i've seen from the release notes of the 2950 code that the "management" command is no longer available for changing the management interface VLAN.
Considering this what would be the best way to change teh management VLAN remotely on a large number of 2950's without losing connectivity? I'd lab this up myself by I don't have a 2950 around to see what happens when I "Un Shut" the new VLAN.
Any help would be muchly apprciated.
ThanksPlease disregard this message.
I found a 2950 and discovered that when the new interface is "un shut" the old interface is automatically shut down. -
ACL Best Practice - On the Internet interface
I have a question relating to ACL's on a routers 'Internet' facing interface.
Further to reading several whitepapers on the topic, a recommended ACL would typically contain the following statements.
In addition, the Cisco SDM automatically generates a similar externally facing ACL:
ip access-list extended INBOUND
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any unreachable
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16..0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip host 0.0.0.0 any
deny ip any any
My question is thus...
What is the point of lines 4-8 when the last line blocks them anyway?
I appreciate that when we view the ACL we can see the number of matches per explicit ACL entry, but in terms of blocking functionality, I can't see the added benefit.
Instead, the following ACL would provide the same benefit and be simpler to maintain.
ip access-list extended INBOUND
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any unreachable
deny ip any any
Am I missing something obvious?
Thanks in advance for assistance,
Regards.thanks Jon for your response.
With regard to your first suggestion relating to a possible typo, my intention was not "permit ip any any".
My main point is that there are several example configurations posted on the Internet which at the top of the ACL explicitly deny specfic types of traffic then have a blanket 'DENY ALL' at the end. Here's another example someone else has posted:
http://www.velocityreviews.com/forums/t34618-cisco-837-wan-interface-accesslist.html
With regard to your second suggestion, your right, I should have included a command like:
permit tcp any any established log
I appreciate this ACL is not stateful and I should use either the firefall feature set or a dedicated firewall applicance.
My question primarily is related to my first point. i.e. what is the point of :
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16..0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip host 0.0.0.0 any
when we have the following statement at the end:
deny ip any any
There are many example Internet facing ACLs posted on the net that propose this same example configuration.
thanks again for your response.
- peter -
Changing the IP address of the management interface
Hi all,
I need to make a change to a pair of Production wireless controllers. Basically the IP range that was assigned for the wireless LAN is no longer sufficient. The gateway for the controllers is a pair of Cisco 4500's that are running HSRP.
I need to extend the LAN from a /23 to a /22. Unfortunately the range of addresses is completely different. To make matters worse I have to do this remotely, some distance away!
The layer 3 interface on the switches uses .2 and .3 of the new address range with .1 as the gateway (standby ip).
The controllers are setup as a Primary and Secondary device. With all the APs currently associated with the Primary.
My plan was to change the IP address of the management and ap-manager (both are on the same subnet) on the Secondary controller, I'd then lose visibility of the Secondary controller, then change the IP addresses of the physical interfaces on the 4500's. Confirm reachabilty to the new IP addresses defined on the Secondary controller. Assuming this works, reconfigure the physical interfaces on the two interfaces to ensure the Primary is reachable again, make the IP changes to the Primary WLC, update the physical interfaces on the 4500's to use the new IP addresses and then both WLC's should be reachable. The AP's will hopefully have rebooted and obtained a new IP address from the new range defined for them.
I'm really not sure of another way of doing this, other than adding a secondary IP address to the interfaces?
I also wonder if there is a way to apply the initial configuration to the secondary controller, and if my changes don't work, reload the controller so it goes back to using the saved configuration and not the running configuration. Do the controllers support something similar to the 'reload in x' command like on Cisco switches? I've looked up the reset command but am not sure it achieves the same outcome?
Any ideas?Hi Scott,
Would you do the Primary or Secondary controller first? All the AP's are currently associated with the Primary controller.
We don't have access to the console port on the controller remotely. We don't have a KVM/IP KVM there.
What would be the safest method in your opinion?
- Make the IP changes through the GUI on the Secondary controller.
- Make the changes on the L3 switches.
- Confirm reachability to the new ap-manager IP address and management IP address.
- Adjust the configuration on the L3 switch so the Primary is reachable again.
- Make the IP change through the GUI on the Primary controller.
- Confirm reachability to the Primary and Secondary.
Do the controllers support the 'reload in x' command or something similar? And is the 'Apply' command in the GUI like committing the change to the running-configuration but not the start-up configuration or if there is a major problem I can get somebody on-site to pull the power?
Thanks -
¿Can Extended and Ethertype (input) ACLs be applied to the same interface?
Hello team:
¿ Is it possible to apply one Extended ACL and one Ethertype ACL, in input mode, to the same interface?
Thank you very much in advance.
Mariela MusitaniThank you very much Borys. I assumed that it was possible, but the documentation was not clear in this context.
regards, Mariela -
Configuring 802.11v - BSS Transition Management on Cisco WLC 5508
Hi,
I am new to the configuration of the WLC, and I am trying to enable 802.11v sub feature called BSS Transition Management.
I am using WLC software version 8.0.115.0, but I can't find this feature not in the GUI and not in the CLI. I did, however, managed to find other 802.11v sub features like BSS Max Idle and DMS.
Has anyone configured this feature?
How is it done?
Thanks,
Udi AtarYeah I want to tag all the VLAN's for sure. Here is my switch config:
Building configuration...
Current configuration : 140 bytes
interface Port-channel11
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 63,121,190,3000
switchport mode trunk
end
3560-153#show runn int gi0/33
Building configuration...
Current configuration : 171 bytes
interface GigabitEthernet0/33
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 63,121,190,3000
switchport mode trunk
channel-group 11 mode on
end
3560-153#show runn int gi0/34
Building configuration...
Current configuration : 171 bytes
interface GigabitEthernet0/34
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 63,121,190,3000
switchport mode trunk
channel-group 11 mode on
end -
Prime Infrastructure 2.0 can not create the guest account on WLC 5508
The PI can manage the WLC which means the connection between them is ok, but I am not able to create the guest account on it. The WLC has guest SSID with web auth configured correctly..
Any idea why?
Thanks!raymond,
that's good to know that it required :
1) not only a RW community string
2) but also as well ssh credentials
i too would have thought option 1) would be all that was required but it doesn't appear that way w/ your response.
the only way i'll go to add devices in is by doing both SNMP RW and ssh at the same time.
now we know
thanks for pointing this out -
Binding interfaces on WLC 5508
Hello, I would like information on binding multiple intefaces from the WLC to a Cisco switch for more bandwidth. Can someone point me in the right direction for this? thank you
Here are some links. You need to have LAG enabled on the WLC and then you need to create an etherchannel to your switch. You can connect the WLC to multiple switches if they are in VSS.
https://supportforums.cisco.com/docs/DOC-20587
http://www.cisco.com/en/US/docs/wireless/controller/7.2/configuration/guide/cg_ports_interfaces.html
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered" -
Hi, how are you?. Sorry by my questions and thanks for the patience.
I have a doubt. CPU ACL affects only the traffic of the management interface?.
For example:
Controller WLC 5508 version 7.0.98.0
Interface management IP address 186.108.26.2/24
Interface XX IP address 190.139.109.101
I have configured the following ACL and applied to CPU ACL:
(Cisco Controller) >
(Cisco Controller) >
(Cisco Controller) >
(Cisco Controller) >
(Cisco Controller) >show acl cpu
CPU Acl Name................................ ACL
Wireless Traffic............................ Enabled
Wired Traffic............................... Enabled
(Cisco Controller) >show acl summary
ACL Counter Status Enabled
ACL Name Applied
ACL Yes
(Cisco Controller) >show acl detailed ACL
Source Destination Source Port Dest Port
Index Dir IP Address/Netmask IP Address/Netmask Prot Range Range DSCP Action Counter
1 In 1.1.1.0/255.255.255.0 1.1.1.115/255.255.255.255 6 0-65535 443-443 Any Permit 0
2 Any 0.0.0.0/0.0.0.0 100.100.100.100/255.255.255.255 6 0-65535 443-443 Any Permit 0
3 Any 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 Any 0-65535 0-65535 Any Deny 51
DenyCounter : 27
(Cisco Controller) >
I have the following doubts
It is not necessary to allow the ports of tunnel capwap?.
I have applied this ACL and traffic from Interface XX to 190.139.109.101 is filter. If I remove CPU ACL traffic to interface XX is permit. Then CPU ACL affect all interfaces???.Hi,
better a late reply than no reply at all ...
The CPU ACL actually filters traffic that is destined to one of the WLC ip addresses, so it works on all interfaces, but does not filter all types of traffic. Only traffic that is destined to the WLC itself.
So if you apply a CPU ACL, it is likely you need to either allow capwap ports or allow everything in the subnet where APs are.
Regards,
Nicolas -
2 AP Management interface WLC 5508 at the same time
Good afternoon,
I have a customer that wants a few APs are managed by the interface of management and do join by that interface and another group of APs are managed and do join by another interface configured as "Enable Dynamic AP Management"
is a WLC 5508, i created an interface by checking the option "Enable Dynamic AP Management" but does not work, by the interface of management are recorded without problems.
Is it possible to do this? Are you supported?I don't know I understand your question properly or not.
I think you want to join APs to management and AP manager interface at same time ?
When you want to allow APs to join on two ports 1(management) & 2 at the same time, then you have use this:
As you must be aware that only one AP manager is allowed per port. So if you leave the Management interface as an AP‐manager and just create one additional AP manager interface, you’ll allow APs to join to either port, but the Management interface will not be able to fail over since that would make two AP managers on the same interface.
Or
Remove the AP management function from the Management interface and then create two new AP manager interfaces (one for each port).
Regards
Dont forget to rate helpful posts -
WLC 5508 Cant get access via the Mgmt Interface
Hello everybody,
i have a wlc 5508 (version 7.0.98.0) , if i'm pinging the service port interface or try to get access via this interface, everythings is fine, but if cant get access via the management interface. (but its pingable)
the crazy thing is, that the LAP joined successful ti the wlc, but the Upgradetool (converting an AP to an LAP) doesnt work, because the tool cant reach the mgmt interface of the wlc.
there are no ACLs, which are blocking the traffic between wlc and my computer
Does anyone has an idea, what i've configured wrong???
regrads,
RoccoInterface Name Port Vlan Id IP Address Type Ap Mgr Guest
wlan1 1 16 172.16.2.10 Dynamic No No
management 1 2 172.16.1.10 Static Yes No
wlan2 1 220 172.16.3.10 Dynamic No No
service-port N/A N/A 10.75.100.99 Static No No
virtual N/A N/A 1.1.1.1 Static No No
and my Pc is in the 172.16.4 subnet
i have no access to the switch port, where the controller is connected to, but i know that this port permits access to the vlans which are used -
Cisco ASA won't send Syslog out management interface
I have been trying to get my ASA to send syslog out of the management interface without any luck. When I do a packet tracer it says that the global implicit deny rule is blocking it, but I tried to add a permit all in front of it and it still blocks it. Everything is configured correctly from what I can tell and the static routes and routing are correct. This has me baffled. Does anyone know what might be causing this or what I should look at in the config to get this working?
Hi Mark,
Talking of packet tracer, it would give you correct output for a through the box traffic, not for to the box or from the box traffic.
So firstly we have two questions:
1) Is this a through the box traffic, then you need to permit the traffic through ACL(if from lower sec level to higher) and add a NAT statement(depending on the ASA IOS Version you are using anything above 8.2.5 wont require a NAT).
2) If this is a syslog from the firewall scenario, then you need to make sure to get the following logging configuration on ASA
-enable logging
-logging host management X.X.X.X --------(X.X.X.X is the ip of the syslog server)
-logging trap debugging ----------(debugging is the level, you could use any other too, but to check would sugest this one)
-Further if you have already sorted out till here, get us the following outputs:
-show run
-show logging
-show logging queue
Hope it helps
Cheers,
Naveen
Please Rate Helpful posts. -
Splitting the app traffic from the cluster and admin traffic
Hi,
We currently have a 10.3.2.0 setup where an admin server is behind a firewall and is running on the Administration Port and is connected to two managed servers in front of a first firewall in the DMZ.
On each managed server there is two network interfaces one for management and one for apps/DB connections.
So I was wanting to know how to you get the managed server to split the traffic??
If I set the managed servers listening address to the management interface then it starts up fine as that what the admin server behind the firewall can see, BUT it means app and JDBC Connections dont work and the server goes to ADMIN state first before you have to manually resume it.
If I set the managed servers listening address to the app interface then it can't start up and the app interfaces address is block from the admin server to the managed server via the firewall.
If I set the managed server to have no listening address and leave it blank in the interface field, it starts up and listens on all interfaces, BUT can't find a route to the admin server.
So what is the answer, can you do something with Network Channels?? Or is it the case you just can't do it and just to have one interface and one listening address as the admin traffic is split by the default administration channel anyway.
Would be get to know.
Alistair.Are you using cellular data? If yes, try to use Wi-Fi and see if the app works better by using a faster data connection. If you have no problem using Wi-Fi and maps, see if you can have a faster cellular connection by switching to 3G, 4G to LTE service in Settings/Cellular.
-
Help with Cisco 5508 management interface
Hello,
I'm trying to verify some behaviors I'm seeing with my 5508 controller setup and forgive me for missing anything obvious, I've zero experience with this hardware and clueless on the best practices. With that said... out of the box I ran through the AutoInstall process.
I gave my service port an IP address on my subnet, 10.10.8.0/24 vlan 100 and gave the management interface the ip address 10.10.30.5/24 vlan 130
From my host I can ping the management interace 10.10.30.5 and the interface gateway 10.10.30.1
I cannot connect to the controller via 10.10.30.5 either through the web GUI or telnet
I can connect to the controller via 10.10.8.200 both through the web interface and telnet
while connected to the service port, I can ping the management port IP but I cannot ping the 10.10.30.1 gateway.
We have attached two test 3502I AP's and they found the controller and pulled correct ip addresses, clients can authenticate and access network resources as well as the Internet so for the most part, things are working but it concerns me that the management interface can't ping its own gateway.
Keep in mind, I did no other configurations besides what got configured in the AutoInstall process. What should I look at to resolve?
Thanks!
MikeThe service port is for out of band management and should not be connected to the network. If connected tot he network, it should not have connectivity to the management interface of the wlc.
You can create an ACL to block the service port ip to the managment vlan if you want. I normally do not connect the service port to the network.
Maybe you are looking for
-
Hi. I have a problem with Quicktime (7.3). When I try to run the program I have the following error message: +"Microsoft Visual C++ 2005 Runtime Library+ Program C:\....\quicktimeplayer.exe A buffer overrun has been detected which has corrpted the pr
-
HP Deskjet 3050 All-in-One Printer - J610a
All printing with colors screwed up. no error messages. print and scan doctor says all ok. Cannot open software, check ink levels, alignment - nothing, yet it prints (black), scans and copies just fine.
-
What is the best option for generating .wmv video working on Mac?
I am working on a mac. I need to generate my output in .wmv. I am exporting as .mov then using MacX converter to convert to .wmv. The quality degrades too much. What is the best way to generate .wmv? Thanks in advance.
-
Quick question, re: bent pins on hard drive connector...
When replacing my hard drive I slightly bent 4 of the small pins on the back of the new hard drive. I tried bending them back slightly but the connector was able to fit over them, so I just ended up leaving as is... My question is, will these "bent p
-
Problema al guardar imágenes en photoshop
Saludos a todos, vengo con un problema leve, que me suele suceder cuando trabajo con Indesign y Photoshop (CS4). Esto nunca pasó en las versiones anteriores, describo el paso a paso: 1. Estoy en ID, tengo una imágen TIF en mi libro 2. Le doy clic en