ACL on controller-based wireless

Similar Messages

• Standalne vs Controller based

  We are talking with a mid sized medical care facility.  Ultimately may need 15-20 access points.
  They are not ready to roll out a full wireless solution for their building yet, but would like to start with a few spots in modeling the application.
  so the question is "can they use a 3500 series model in standalone or must they be controller based.
  I see from literature that the 1140 series can be purchased either way, but I can't determine if the 3500 is purchased via different p/n or one unit can work standalone.
  Appreciate any input.
  thanks
  Bruce

  Bruce,
  The 3500 series Access points are supported in the Unified (controller based) environment only. The primary reason for this is the CleanAir feature is only functional with a WLC.
  Other access point models like the 1140/1260 etc can be ordered with either standalone or lightweight/unified software. (And can be converted between the two modes)
  -Patrick
  Wireless TAC

• Config mesh range command - controller based mesh configuration

  Hello,
  I have to install a wireless mesh network shortly using Cisco 1552 APs.  This will be controller based using 5508 controllers.  The controllers currently have some 1262 APs configured in a mesh and bridging configuration so happy that it all basically works. 
  My question is - what is the "config mesh range' command doing on the controller ( or setting the Range(RootAP to MeshAP) setting on the controller mesh GUI.  The default setting is 12000feet and I have left it at default at present.  Just interested in what this is used for - I assume it alters the mesh protocol parameters somehow ( or the RF parameters perhaps ) as it suggests in the guide that mesh APs will reboot following this command being changed.
  Thanks in advance.
  Regards,

  Hi r.brooks
  config mesh range is solely being used on outdoor mesh devices (1520, 1550) in order to fine tune the timeout of the bridging function (if applicable). It is actually a number that dictates to the outdoor mesh access points (MAPs only) the "distance" of two consequtive MAPs that are bridging traffic. When tuning this one, use the longest distance on any MAP-MAP that are doing mesh bridging. If not sure about the distance, keep the default value.
  I hope this helped.
  best regards,
  George

• Cisco 1142 WGB in a controller based network

  Hi,
  I have trouble with Cisco AP1142 which is configured in WGB mode. I'm trying to get it work in a controller based network, where LAPs are configured in H-REAP. SSID where WGB should be associated drops it traffic to VLAN60. Security type is WPA2-PSK.
  I've configured the WGB and it associates and gets IP from the correct network....but the problem is that laptop connected to WGB won't work. It gets no IP address and won't work with static IP.
  At the moment I have no VLANs configured on the WGB - should I have?
  AP IOS version is 12.4(25d)JA and WLC version is 7.0.98.0.
  Please find config file attached and also a topology image. Hope these help.
  Br,
  Petri

  Hi Petri,
  WGB mode with HREAP is not supported:
  http://tools.cisco.com/squish/dcAfC
  http://tools.cisco.com/squish/CcFE6
  You may want to test this with uWGB mode and static IP config.However, there is a new bug filed for uWGB mode as well:
  CSCtl21683    uWGB needs official testing and support with h-reap
  HTH,
  Alex

• How Convert AIR-AP1262-C-K9 standalone AP to controller based AP?

  How Convert AIR-AP1262-C-K9  standalone AP to controller based AP? Is that possibe ? how?

  Hi,
  First follow these steps to convert to LAP:
  http://rscciew.wordpress.com/2014/05/07/access-point-conversion-lap-to-aap-and-vice-versa/
  WLC Model: Its all depneds on your requirement.
  Its a small enterprize then go for 2500 series otherwise go for 5500 series.
  Regards
  Dont forget to rate helpful posts

• Can AIR-SAP2602E/I-C-K9 convert to controller based AP?

   Can AIR-SAP2602E/I-C-K9  convert to controller based AP?
  both S2G1K9W7-15202JA/ JB available?

  here are the procedure:
  https://www.youtube.com/watch?v=wWDrFjwVNb0
  http://rscciew.wordpress.com/2014/05/07/access-point-conversion-lap-to-aap-and-vice-versa/
  Regards

• PC Based Wireless Cards

  Will PC based wireless PCI cards work on the Mac Pro, or do I have to buy a card made for the Mac?
  I've looked around and can only find cards for the G3 or G4...

  The Airport Extreme card isn't compatible with the Mac Pro...why, I don't know.
  From the Apple store:
  *+This AirPort Extreme Card is not compatible with the Mac Pro or the Power Mac G5 Dual and Power Mac G5 Quad computers...+*
  The port for the Airport is much smaller than the interface on the extreme (I found this out after the fact...I bought one, but didn't read the small print).
  Additionally, the nearest Apple store is 50 miles away. I don't feel like driving for an hour to get it done, and on top of that I'm sure they'd charge an arm and a leg to do it.
  Message was edited by: KAGProductions

• Cisco Outdoor Controller Based Access Point

  Hi,
  I am looking for Cisco Outdoor Controller Based access point model. The WLC is Cisco 2500 Series.
  I have checked couple of outdoor models but all are mesh access point. I am looking for  normal controller based outdoor access point ( just like controller based indoor access point models )
  Thanks.

  adding to Leo...
  Cisco Aironet 1300 Series
  http://www.cisco.com/en/US/products/ps5861/index.html
  Cisco Aironet 1550 Series
  http://www.cisco.com/en/US/products/ps11451/index.html
  Cisco Aironet 1520 Series
  http://www.cisco.com/en/US/products/ps8368/index.html
  these all are Cisco OUTdoor APs.
  Now u can choose as per ur req.
  Regards
  Dont forget to rate helpful posts

• Controller based AirGroup Policies & Auto-association

  Requirement:
  Controller based AirGroup Policies
  By default all AirGroup servers are visible to every AirGroup user. 
  This features enables configuring policies on controller for AirGroup servers to limit the visibility of AirGroup servers to destined AirGroup users.  Admin is allowed to configure shared user-list, shared role-list and shared group-list for each AirGroup server to limit this server’s visibility to intended AirGroup users.
  The group-list is the same as the group defined in Active directory. 
  These configurations were done in CPPM prior to v6.4.3, now it is extended to the controller.
  Auto-association
  Auto-association feature helps with visibility of an AirGroup server If it needs to be seen by a broader area. This feature enables attaching an AirGroup server to an AP-name, AP-group or AP-FQLN and any AirGroup users associated to that AP-name etc. will be automatically see those AirGroup Server.
  Auto-association feature can be applied at AirGroup Service level as well – AirPlay etc. All AirGroup  Servers advertising that service will be seen by AG users associated to that AP-name/AP-group/AP-FQLN.
  Use case – In a multi-floor building, if you want users in Floor-10 to have access to a printer in Floor-10. You can define location based policy and attach the printer to an AP-group for floor-10 and users belonging to that AP-group will be able to access that printer.
  Solution:
  Controller based AirGroup Policies
  Policies can be configured on the controller to limit the visibility of AirGroup servers to destined AirGroup users
  Policies can be configured based on shared user-list, shared role-list and shared group-list 
  Location based policies for AirGroup devices can be configured based on ap-name, ap-group and ap-fqln
  This was done in CPPM prior to v6.4.3
  Auto-association
  Enables AG users to discover AG servers based on 
  AP or its neighbours
  AP-Group
  AP-FQLN
  Auto-associate can be enabled at Airgroup  Server
  Airgroup  Service level (Airplay etc)
  Configuration:
  This configuration defines a policy for AG server based on its MAC address and share this server among list of users, role, group and location.
  Mac Address Based Policy Configuration
     (config) #airgroup policy <AG-Server-mac>
      (config-airgroup-policy) #?
      userlist
      rolelist
      grouplist
      location 
      no
  Configuration – Shared user list
  Configuration to add/remove users in an shared user-list.
  Configuring shared user-list
      (Aruba) (config-airgroup-policy) #userlist ?
  Adding a user-name:
     (config-airgroup-policy) #userlist add Bob          
  Deleting a user-name from the shared user-list:
     (config-airgroup-policy) #userlist remove Bob       
  Deleting the entire shared-user list:
     (config-airgroup-policy)# no userlist    
  Configuring Shared user-role 
    (Aruba) (config-airgroup-policy) #rolelist ?
  Adding a shared-role:
    (config-airgroup-policy) #rolelist add <name-string>             
   Deleting a role from the shared role-list:
    (config-airgroup-policy) #rolelist remove <name-string>       
  Deleting the entire shared-role list:
    (config-airgroup-policy) #no 
  Configuration – Shared user group
  Configuring shared user-group
    (config-airgroup-policy) #grouplist add <name-string>             
  Removing a shared user-group
    (config-airgroup-policy) #grouplist remove <name-string>      
  Disable user-group based sharing 
    (config-airgroup-policy) #no grouplist
  Configuration – Shared location
   Configuring shared location
     (config-airgroup-policy) #location ? 
      ap-group
      ap-fqln
      ap-name
      no.
  Auto-association configuration:
  Adding an ap-group to shared-location
  (config-airgroup-policy) #location ap-group  bldg1                     
  Deleting an ap-group to shared-location
  (config-airgroup-policy) #location ap-group remove bldg1        
  Enabling location auto-association for ap-group
  (config-airgroup-policy) #location ap-group auto        
  Service level Auto-associate
  Configure Auto-association based on AirGroup Service based for AP-name, AP-Group and AP-location. Users associated to AP-name/AP-group/AP-FQLN will automatically see all Airgroup servers that advertise the AG service.
  (Aruba) (config) #airgroupservice ?
      STRING                  AirGroup Service
  (Aruba (config) #airgroupservice airplay
  (Aruba) (config-airgroupservice)#autoassociate
      apfqln                  Auto tag with AP FQLN
      apgroup                 Auto tag with AP Group
      apname                  Auto tag with AP Name
  (Aruba) (config-airgroupservice) #autoassociate apname <AP-Name-String>
  (Aruba) (config-airgroupservice) #autoassociate apgroup <AP-Group-String>
  (Aruba) (config-airgroupservice) # autoassociate apfqln <AP-fqln-String>
  Configuration GUI – Device level Auto-associate
  GUI-Service level Auto-associate
  Verification
  Debugging commands
  Enable mdns logging using the following commands -
      #logging level debugging user process mdns
      #logging level debugging system process mdns
  Command to see policy entries
  Command to see service level  Auto-assciate
  Command to see records of each of the airgroup servers and the buckets (AP name/FQLN) in which they fall into
  This command shows the AirGroup devices fall into different buckets based on the controller based policies. 
  In this example, the AirGroup device (10.70.21.32) is configured under AP bucket. 
  This bucketing mechanism also helps with the scalability. With AOS v6.4.3, the scalability in terms of number of AirGroup users and servers has been increased to the platform limit of the controller. For example, for 7240 controller, number of AirGroup users and servers is 32K (max #of clients to be supported by 7240 controller). Fetching an entry for AirGroup device from the cache entries (with this increased scalability) was a challenge. This bucketing mechanism helps finding clien entries belonging to a specific bucket and fetching from the entries in that bucket.
  Few additional commands to find log files and tech-support. 
  #Show airgroup servers verbose
  #Show log user all
  #Show log system all
  #Show tech-support <file-name>

  > The processing of Group Policy failed. Windows attempted to read the file \\bank
  > a.com\SysVol\banka.com\Policies\{7E60CAFC-6077-4FBB-B30A-F5FEAF4A38F1}\gpt.ini f
  > rom a domain controller and was not successful.
  Repair Sysvol Replication - it is broken.
  NTFRS:
  https://support.microsoft.com/en-us/kb/315457
  DFSR:
  https://support.microsoft.com/en-us/kb/2218556
  Greetings/Grüße,
  Martin
  Mal ein
  gutes Buch über GPOs lesen?
  Good or bad GPOs? - my blog…
  And if IT bothers me -
  coke bottle design refreshment (-:

• Upgrading Autonomous to controller-based (AIR-SAP2602I)

                    Hello,
  I don't know if coul possible upgrade an SAP2602i Autonomous  access point to controller-based?
  Thanks in advanced for your help.
  Regards.

  I don't know if coul possible upgrade an SAP2602i Autonomous  access point to controller-based?
  Yes, it's very easy to convert an autonomous AP into controller-based.
  All you need to do is download the controller-based recovery image (filename contains the "rcv"), copy the IOS into the AP and change the bootstring of the AP to boot the "rcv" file.

• How to configure IP Address filter in Controller based Access Points ?

  Dear Team,
  Configuration:
  i have 5508 series controller and joined the two Thin APs to the controller. WLAN controller is connected to PC where Multicast receiver is running for two Multicast IP addresses (IP1: 230.1.1.1, IP2: 230.1.1.2). Multicast sender is running for two IP addresses on Station.
  Requirement:
  When Station is associated to AP1, AP1 should block the multicast packets going to AP2 and vice versa . That is AP1 should be configured to block multicast packets going to 230.1.1.2 and AP2 should be configured to block multicast  packets going to 230.1.1.1.
  Thanks,
  Harsha

  I believe you could apply ACLs and check if that helps.
  For more details about configuring ACLs, please refer to the following link:
  http://www.cisco.com/c/en/us/td/docs/wireless/controller/8-0/configuration-guide/b_cg80/b_cg80_chapter_0110101.html#task_AA3AFA57D51647478E0C3511137C165E
  Hope that helps.

• Renumbering with ACL-Friendly Role-Based Addressing or...?

  We are a mid-sized manufacturing firm operating out of three locations and we are in the process of making plans to restructure and renumber our networks so as to better facilitate automated configuration management and security, in addition to easing our deployment of IPv6.  Currently, at each site the L3/L2 boundary resides at the network core, but increasing traffic/chatter has us considering moving the L3/L2 boundary to the access layer(s), which consist of 3560-X units in the wiring closets that are supporting edge devices either directly or via 8-port 3560-C compact switches in the further reaches of our manufacturing and warehouse spaces.
  As we contemplate moving to a completely routed network, the big unknown we're struggling with is whether or not it is safe or even desirable to abandon ACL-friendly addressing, and whether, in doing so, we can expect to run into hardware limitations resulting from longer ACLs.
  Currently, each of our site-wide VLANs gets a subnet of the form 10.x.y.0/24, where x identifies the site and y identifies the class of equipment connected to said VLAN.  This allows us to match internal traffic of a given type with just a single ACE, irrespective of where the end-point device resides geographically.  Moving L3 routing decisions out to the access switches will require that we adopt smaller prefix assignments, with as many as 8 distinct subnets on each of our standard-issue 3560CG-8PC compact switches.  Why so many, you ask?  We currently have more than 30 ACL-relevant classifications of devices/hosts - a number that will only grow with time, and to maximize the availability of all services, it is our policy to physically distribute edge devices of a given class (eg. printers, access points, etc) over as many access switches as possible.
  From what I can see, we have three options, each of which present trade-offs in terms of management complexity and address utilization efficiency: 
  Option 1: Stick with ACL-friendly addressing, both for IPv4 and IPv6, and allocate uniform prefixes to each access switch.  For IPv4, within the 10.0.0.0/8 block we would probably allocate 8 bits to the site ID (/16), followed by 6 bits as the switch ID (/22), and 7 bits to identify the equipment/host classification (/29), for a maximum of 5 available addresses for a given class of devices on a given access switch.  For IPv6, assuming we have a /48 block for each site, we would use the first two bits to identify the type of allocation, the following 6 as the switch ID (/56), and the following 8 as the equipment/host classification (/64).
  Option 2: Abandon ACL-friendly addressing and dynamically allocate standard-sized prefixes from a common pool to each VLAN on a given switch.  The advantages of this approach are increased utilization efficiency and more addresses available within each VLAN, but it comes at the cost of non-summarizable routing tables and ACLs, and even if the hardware can handle this, it means we're talking about a more complex configuration management system and less ease in troubleshooting problems.
  Option 3: Do something similar to option 1, but with the L2/L3 boundary positioned at the distribution layer rather than the access layer.  I'm disinclined to go this route, as it seems to require the same, if not more, management complexity than we'll encounter with option 1, with only marginal benefits over keeping things the way they are currently (L2/L3 boundary at the network core).
  Thoughts?  What issues have we neglected to consider?  No matter which approach we select, it shall be assumed that we will be building a system to track all of these prefix assignments, provision switches, and manage their configurations.  From a standpoint of routing protocols, we would probably be looking at OSPFv2/v3.  It can also be assumed that if we encounter legacy devices requiring direct L2 connectivity to one another that we already have ways of bridging their traffic using external devices, so as far as this discussion is concerned, they aren't an issue.
  Thanks in advance for your ideas!
  -Aaron

  Hi David,
  Permissions based on GUI components is a simple & neat idea. But is it rugged? Really secure? It might fall short of Grady Booch's idea of Responsibilities of objects. Also that your Roles and Access components are coupled well with Views!!!!!!!
  My suggestion regarding the Management Beans is only to do with the dynamic modification which our discussion was giong forward.
  If we go back to our fundamental objective of implementing a Role based access control,let me put some basic questions.
  We have taken the roles data from a static XML file during the start up of the container. The Roles or Access are wanted to be changed dynamically during the running of the container. You would scrutinize the changes of Roles and access before permission during the case of dynamic modification.
  Do you want this change to happen only for that particular session? Don't you want these changes to persist??? When the container is restarted, don't you want the changes to stay back?
  If the answer to the above is YES(yes I want to persist changes), how about doing a write operation(update role/access) of the XML file and continue your operation? After all, you can get the request to a web or session bean and keep going.
  If the answer to the above is NO(no, i don't want to persist), you can still get the change role request to a web or session bean and keep going.
  Either way, there is going to be an intense scrutiny of the operator before giving her permissions!!!
  One hurdle could be that how to get all neighbouring servers know about the changes in roles and access??? An MBean or App Server API could help you in this.
  May I request all who see this direction to pour in more comments/ideas ? I would like to hear from David, duffymo, komone and jschell.
  Rajesh

• Add a Repeater to Controller based WLAN - How to ?

  Dear all,
  I have a 2106 controller with 5 1242 AG LWAP's. I need to add another AP as a repeater to help provide a signal to an area where I have no LAN cable. I don't know how to do this and have the repeater recognised by the controller.
  If anyone has any advice, deployment examples, or white papers that may help, please let me know.
  Many thanks,
  NM

  Hello Neil and Jeff,
  I also need autonomous repeaters that extend signal fom LWAPP points, but all says "it isn't works, you'll need mesh":
  http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Wireless%20-%20Mobility&topic=General&topicID=.ee6e8b8&fromOutline=&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cd24949
  http://forums.cisco.com/eforum/servlet/NetProf;jsessionid=7FF101A559C35FF77B1DB6CA2E77C36C.SJ3A?page=netprof&forum=Wireless%20-%20Mobility&topic=Getting%20Started%20with%20Wireless&topicID=.ee7c7c3&fromOutline=&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cd2ba60
  You tried configure this?is it really works?

• Traditional ACL vs Zone Based FW

  I have a 3845 ISR that I have been managing for a couple years that has a traditional ACL based config.  We just purchased a new 3845 for redundancy and it arrived with the zone based config from Cisco.  Any opinions on whether I should take the existing router to a zone based config or should I configure the new router with traditional ACL config that I am more comforatable with? 

  If there was the option to use a Zone based FW or just straight access lists then surely the Zone based FW would be considered a better option as it has more features than just permit or deny. The Zoned based FW will also inspect traffic and block any traffic with malicous code for example. I am not an expert in this arena, but based on Security exam topics and other publications, the FW approach seems to be gaining traction versus managing ACLs alone. Although, ACLs will always have their place in the network...
  The choice is based on your comfort level, but both are viable options...
  BR,
  Cary
  Sent from Cisco Technical Support iPad App

• Make certificate-based wireless unavailable at login?

  Error: "Unable to log in with a network account" appears because the wireless connection goes offline. WEP networks work okay, but our internal network uses wireless with EAP certificate-based authentication. Since the Macbook does not come with ethernet jack, I have no other option. How do I get it to connect to the wireless prior to login?

  does this article help.
  http://support.apple.com/kb/ht4772