Restrictions ACL for Wireless AP to WLC in HREAP Desgin Setup

Similar Messages

• Allowed ports in ACLs for Wireless IP-Phones

  I need to Apply ACL on one SSID which is used to allow the communication between just IP phones and for sure CallManger.
  So I need to know which ports should I allow in ACLs:
  I tried to allow the following ports:
  UDP>> DHCP
  udp port 69 TFTP
  tcp port 2000 SCCP
  udp range 16384 32767 FOR RTP Streaming
  shall I enable any thing else????

  These ports are fine.
  CallManager discovery can occur several ways, one of them is DNS. If you use DNS discovery, you may want to add UDP 53. If CUCM information is fed from TFTP server files, then you are good with the ports mentioned in your list.
  hth
  J

• Configuring AppleTV for Wireless deployment without WLC (881- 3560- AP)

  Hi Guys,
  I have read the Wirelss deployment guide provided but i do not seem to get AppleTV to work on the wireless network. When connected to the wired network - all is ok.
  Design -
  Cisco 881 -> 3560 -> AP
  Here is what i have so far:
  Router Config:
  ip multicast-routing
  no ip igmp snooping
  interface FastEthernet0
  switchport mode trunk
  interface FastEthernet1
  switchport access vlan 5
  interface FastEthernet2
  switchport access vlan 5
  interface FastEthernet3
  switchport access vlan 5
  interface FastEthernet4
  mac-address *****
  ip address *****
  interface Vlan1
  ip address 192.168.0.5 255.255.255.0
  ip pim sparse-dense-mode
  interface Vlan5
  description --Data--
  ip address 192.168.5.254 255.255.255.0
  ip pim sparse-dense-mode
  interface Vlan6
  description --Media--
  ip address 192.168.1.254 255.255.255.0
  ip pim sparse-dense-mode
  Switch config
  A-01#sh run
  ip igmp snooping querier
  vlan internal allocation policy ascending
  vlan 5
  name Data
  vlan 6
  name Media
  interface GigabitEthernet0/1
  description <<To_G-01>>
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 1,5,6
  switchport mode trunk
  switchport nonegotiate
  interface Vlan1
  ip address 192.168.0.223 255.255.255.0
  ip pim rp-address 192.168.5.254
  AP Configuration
  no ip igmp snooping
  no dot11 igmp snooping-helper
  Please help me properly configure the network to support AppleTV. We currently use vlan 5 and 1 only. vlan 1 is management and vlan 5 - basically data and media.
  Regards,
  Faith

  Am used to it being called IOS
  Here we go.
  flash:/c1140-k9w7-mx.152-2.JB/c1140-k9w7-mx.152-2.JB
  You believe I should downgrade to v12?
  Could we first confirm that the configuration is ok so that i can resort to downgrade as a last resort because the AP is in exploitation at the client's site.
  Could you please confirm that my multicast configurations are correct ?
  Thank you for your time Scott!
  Faith.

• Cisco ACL for Wireless VLAN's

  Hi all and Merry Christmas to you.
  So I have been off work for a few days now playing in my lab, I have configured a number of VLAN’s to separate Data, Voice, Servers, Games Consoles and Guest on my Cisco 1142, I know it may be a bit of an over kill but it’s just me doing a bit of lab work and learning
  What I’m after doing now is setting up ACL’s to deny the Guest and Games Console VLAN from accessing my LAN and I’m not sure where to start, I want to consoles only to be able to connect to PSN and Xbox networks as well as my DHCP server, and the guest network to connect to the web but again not my LAN, this is for users who come round with phones and tablets.
  My lab look like this:-
  Broadband > Cisco RVS4000 (soon to be ASA) > WS-C3560 > 1142 AP.
  My DHCP server is on VLAN 6 with an IP address of 192.168.6.241
  VLANs are: -
  interface Vlan5
  description *****DATA VLAN*****
  ip address 192.168.5.253 255.255.255.240
  ip helper-address 192.168.6.241
  interface Vlan6
  description *****Servers*****
  ip address 192.168.6.254 255.255.255.240
  interface Vlan7
  description *****VOICE*****
  ip address 192.168.7.254 255.255.255.240
  ip helper-address 192.168.6.241
  interface Vlan8
  description *****VOICE WIFI*****
  ip address 192.168.8.254 255.255.255.240
  ip helper-address 192.168.6.241
  interface Vlan9
  description *****WIFI CONSOLES*****
  ip address 192.168.9.254 255.255.255.240
  ip helper-address 192.168.6.241
  interface Vlan10
  description *****WiFi Home*****
  ip address 192.168.10.254 255.255.255.240
  ip helper-address 192.168.6.241
  interface Vlan11
  description *****WiFi Guest*****
  ip address 192.168.11.254 255.255.255.240
  ip helper-address 192.168.6.241
  interface Vlan12
  description *****Management*****
  ip address 192.168.12.254 255.255.255.240
  The AP config looks like:
  dot11 ssid Console
     vlan 9
     authentication open
     authentication key-management wpa
     mbssid guest-mode
     wpa-psk ascii 7 094F4107170A051103
  dot11 ssid Home
     vlan 10
     authentication open eap eap_methods
     authentication network-eap eap_methods
     guest-mode
     mbssid guest-mode
  interface Dot11Radio0.9
  encapsulation dot1Q 9
  ip helper-address 192.168.6.241
  no ip route-cache
  bridge-group 9
  bridge-group 9 subscriber-loop-control
  bridge-group 9 block-unknown-source
  no bridge-group 9 source-learning
  no bridge-group 9 unicast-flooding
  bridge-group 9 spanning-disabled
  interface Dot11Radio0.10
  encapsulation dot1Q 10
  ip helper-address 192.168.6.241
  no ip route-cache
  bridge-group 10
  bridge-group 10 subscriber-loop-control
  bridge-group 10 block-unknown-source
  no bridge-group 10 source-learning
  no bridge-group 10 unicast-flooding
  bridge-group 10 spanning-disabled
  interface Dot11Radio0.12
  encapsulation dot1Q 12 native
  no ip route-cache
  bridge-group 1
  bridge-group 1 subscriber-loop-control
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  bridge-group 1 spanning-disabled
  At the minutes I’m just trying to stop Console getting to the Home network before I move onto the rest
  I have not got a clue where to start or where to place the ACL’s, would they be on the Switch or the AP itself?
  Hope you can help me out.
  Happy new year
  Martyn

  Here is a suport document in regards to autonomous ACL:
  https://supportforums.cisco.com/docs/DOC-13768
  Thanks,
  Scott
  Help out other by using the rating system and marking answered questions as "Answered"

• Which PI is better for Wireless, 1.4 or 2.0?

  Simple question:- Which Prime Infrastructure is best for managing a Cisco wireless solution, Version 1.4 or 2.0?

  Hi Simon,
  Of course 2.0 version is new and hav many other features which PI 1.2 dont have.
  Example:wts new in 2.0
  Extended Device Support and Scalability (Wired / Wireless)
  _With Prime Infrastructure 2.0, you can manage up to 13,000 wired devices, up to 1,000
  controllers, up to 20,000 Unified Access Points, up to 3,000 autonomous Access Points, and up
  to 1,000 Network Analysis Modules.
  – Day-1 support of new Cisco devices and software releases helps ensure up-to-date coverage
  with no manageability gaps, which is provided through monthly IDUs-Incremental Device
  Updates.
  Guided Workflow for Day1 Deployment
  – Streamlined workflows facilitate design, deployment, and operational lifecycle tasks that align
  with user roles.
  Plug and Play for Wired/Wireless Devices
  Out-of-the-Box Best Practice Configuration for Optimized Deployment of Cisco Features and
  Technologies
  – Model-based simplified workflow to assess the network for Cisco TrustSec 802.1x readiness
  and facilitate the deployment of network technologies and solutions, such as one-click AVC
  Configuration from device work center, Cisco TrustSec 802.1x and Zone-Based Firewall (ZBF),
  all based on Cisco best practices.
  Support for Wireless LAN Controller (WLC) Release 7.4
  want to know more:
  http://www.cisco.com/en/US/docs/net_mgmt/prime/infrastructure/2.0/release/notes/cpi_rn.pdf
  As per my exp....PI 2.0 is bit slow then PI 1.2.
  Regards
  Dont forget to rate helpful posts

• DMZ Anchor WLC setup for Wireless Guest Access

  I have the following setup.
  A DMZ WLC 4402 connected to firewall DMZ interface in 10.10.73.0/24 network.
  An Inside WLC 2106 connected to firewall Inside interface in 10.10.71.0/24 network.
  Both WLCs are running the same 4.2.176 code.
  DMZ WLC is anchor to itself and Inside WLC select the DMZ WLC as the anchor point.
  I have setup EoIP between DMZ and Inside WLCs successfully with both the control and data path both show as UP status. >> "show mobility anchor"
  The main issue: Clients cannot obtain IP addresses after connected to Guest SSID.
  1. Inside WLC, the guest WLAN ingress is 802.11b/g radio and egress port is set to management interface (EoIP) of type WLAN.
  What is the DMZ WLC setting? Is the ingress set to "802.11b/g" which does not make sense because the ingress is EoIP from Inside WLC?
  Or I still set as 802.11b/g? Same config as Inside WLC? I read from other threads suggested by Terry that the config must be the same for both WLCs.
  In the Inside WLC, I saw alot of pdu encapsulation errors for broadcast packets which is ffff.ffff.ffff xxxx which I think is the DHCP request from the connected Wireless clients not making through the EoIP tunnel. I have set static ip for the Wireless client but the packets cannot route through the EoIP tunnel to the far end.
  2. DHCP server is provided by DMZ WLC with the scope 10.10.76.0/24. In the Inside WLC, which DHCP server IP adddress to set to? DMZ WLC mgmt ip address? DMZ WLC, the DHCP server is also set to DMZ WLC mgmt ip?
  3. Layer 2 authentication. I read that DMZ WLC is supposed to be the DHCP server, Layer 2 or 3 authentication for Wireless Clients. However, it seems like Inside WLC is required to configure the Layer 2 authentication parameters and the DMZ WLC is set to providing the DHCP service?
  4. Lastly, anyone has done DMZ WLC sending the Wireless clients traffic to Bluecoat proxy server before hitting the Internet?
  Thanks.

  One of the biggest things is to make sure the wlan is configured exactly the same. The DMZ WLC ingress is the management and also is the egress port. You can create a dynamic interface on the DMZ WLC, but this way makes thing easier. The DMZ WLC should provide the dhcp, so the dhcp scope of course will be on the same subnet as the management of the DMZ WLC. The DHCP Server will be the ip address of the management interface of the DMZ WLC. The authentication also has to be configured exactly the same on the inside wlc and the DMZ wlc. Since you are pushing clients through the tunnel to the DMZ WLC, that is where clients will need to get their ip address, since that DMZ WLC has a network interface to the guest network. I haven't had luck when a proxy is involved, but I know there was a post a while ago on how to setup the proxy to allow the wlc to bypass the users initial dns resolution.

• ISE Profiling for Wireless Devices (WLC 5508) like Laptops and Mobile Devices

  Hi,
  We have integrated WLC 5508 to cisco ise 3315 with ios 1.1.1 and using Guest Sponsor portal for wireless guest users.
  Where we have created open ssid in wlc and redirect web login portal in wlc for guest  users. We have enable all respective node in policy service for profiling and also configure snmp in wlc as well as in ise.
  When guest user is connected to open ssid its get redirected to web login page of ise portal and when it gets login we are  only able to see the username which guest user login but not the end device in monitoring log.
  Wireless End devices are not able to get profiled can any one tell me what configuration I need to do on ise or wlc side to profiled end guest wireless device like android,iphone and laptops
  Thanks
  Pranav

  Hi Tarikh,
  I only want to identify the end devices for wilress guest user. I have configured MAB Authentication and configure autorization policy where in mention identity group any condition as wlc web authentication and athorization profile only guest mentioning plain access for the same.
  Can you help me how I can achived profiling for wirless guest devices. I have configured all profiling probes . Enable snmp on wlc as well as in network devices.
  What else I need to configured to achived just identiting device nothing but profiling and which should reflect in authnetication logs.
  Thanks
  Pranav

• Best practices for network design on WLC 2504 and 5508

  Dear all:
  I'm looking for some recommendations on WLC 2504 and 5508 about the the following:
  Maximum amount of AP per port
  The scenario when to use all ports in both WLC
  Maximum number of clients(users) per port
  Bandwidth comsumption of  management vs data in order to assign one port for management
  I've just found this:
  Cisco 5508 controllers have eight Gigabit Ethernet distribution system ports, through which the controller can manage multiple access points. The 5508-12, 5508-25, 5508-50, 5508-100, and 5508-250 models allow a total of 12, 25, 50, 100, or 250 access points to join the controller. Cisco 5508 controllers have no restrictions on the number of access points per port. However, Cisco recommends using link aggregation (LAG) or configuring dynamic AP-manager interfaces on each Gigabit Ethernet port to automatically balance the load. If more than 100 access points are connected to the 5500 series controller, make sure that more than one gigabit Ethernet interface is connected to the upstream switch.
  http://www.cisco.com/c/en/us/td/docs/wireless/controller/6-0/configuration/guide/Controller60CG/c60mint.html
  Thanks for your help.

  The 5508-12, 5508-25, 5508-50, 5508-100, and 5508-250 models allow a total of 12, 25, 50, 100, or 250 access points to join the controller.
  This is an old document.  5508 can now support up to 500 APs if you run firmware 7.X.  2504 can support up to 75 APs if you run firmware 7.4.X.
  I'm looking for some recommendations on WLC 2504 and 5508 about the the following:
  Best practice and recommendation is to LAG all ports so you will be able to form a link redundancy.  If one link goes down, you have other link to push traffic. 

• Preauth ACL for Wired guest not working

  Hi Guys,
  I have 5508 wireless lan controller running code 7.2. We recently implemented Wired guest access on the WLC and configured necessary changes on the switch. We also have wireless guest profile as well configured on the WLC. We have some people who usually use Jabber client for video conferencing so what we have done is we have configured a preauth acl so that if any users connect to the wireless guest profile they automatically connect to the Jabber server without going through the Web auth. We have applied the same ACL in the Wired guest profile as well but the problem is that Jabber is not able to connect unless we manually go through web browser and then authenticate, but it is working normally for wireless guest access without the web authentication. Let me know if this is some kind of bug or a known issue which can fixed in some way. Thanks in advance
  - Krishna

  Krishna:
  Can you please confirm if other type of traffic (other than jabber traffic) is allowed by the pre-auth ACL?
  try - for testing - to allow traffic -by same ACL -  to some other destination and try via normal user to ping to open whatever session with that destination.
  let me know if that works or not.
  Regards,
  Amjad
  Rating useful replies is more useful than saying "Thank you"

• Extended ACL for DHCP

  Hi,
  I'm having a problem creating an ACL to allow DHCP.
  I want to secure a VLAN running across our Cisco wireless network infrastructure to limit access as much as I can.
  Restricting access to limited ip addresses and ports is straightforward, but I can't seem to get the ACL correct to allow clients to obtain ip addresses via DHCP.
  I seem to remember that the ACL for DHCP was a little odd -this is what I currently have:
  permit udp any host 172.16.30.4 log
  permit tcp any host 172.16.30.4 log
  permit tcp 172.16.36.0 0.0.0.255 host 172.16.30.4 eq domain established log
  permit tcp 172.16.36.0 0.0.0.255 host 172.16.30.27 eq 8080 log
  permit tcp 172.16.36.0 0.0.0.255 host 172.16.30.82 eq 443 log
  deny ip any any (28 matches)
  172.16.30.4 is the DHCP server, and I would like to limit this to only the ports required for DHCP, but I haven't specified whilst debugging this problem - my inital config was for ports 67 and 68.
  I'm seeing traffic being logged against the deny ip any any, so I know the client is trying to send to the correct network etc.
  The IP helper address is configured on the interface and is 172.16.30.4.
  Can some one let me know what I'm missing.
  Cheers,
  Steve

  Hi,
  Thanks for the response - I'll try the ACL for DHCP shortly.
  With regard to the ACL:
  permit tcp 172.16.36.0 0.0.0.255 host 172.16.30.4 eq domain established log
  you are correct, that is for DNS.
  However, on reflection I believe I will need tcp and udp for this rule as the client device will update DNS dynamically when it obtains an IP address from DHCP and I seem to recall DNS updates require tcp port 53?
  Cheers,
  Steve

• Ise 1.1.1 missing Wireless LAN Controller (WLC) in Auth Profile

  Anyone else not seeing the Wireless LAN Controller tick box in Authorization Profile?
  Clean install of 1.1.1. with ISE Version 1.1.1.268—Cumulative Patch 1 applied
  EVAL license
  All the documentation says it should still be there in 1.1.1 unless im missing a trick?

  If you are referring to the ACL for the wireless lan controller that has change to the "Airespace ACL Name".
  This looks like a documentation bug.
  Tarik Admani
  *Please rate helpful posts*

• NAC for wireless layer 3 oob

  Hi,
  Anyone implemented nac for wireless layer 3 oob? This is using nac appliance not ise.
  What I did is to configure wlc as per layer 2 oob setup. Configure svi 669 (authentication/quarantine vlan) on switches that’s with the wism. Pbr all vlan 669 traffic to test cas untrusted interface.
  Problem now I’m not able to get an ip from dhcp after associating. DHCP works when tested on wired. Is there any additional config to be done on WLC or am i doing it right??
  The test cas/cam are ugraded to ver 4.8.2.
  Regards
  Joachim

  Everyone can do a mistake and it seems I did a big one :-)
  l3 wireless OOB was not supported until last version :
  §Wireless L3 OOB RIP has been introduced in 4.8.2.
  §In order to support wireless in L3 OOB RIP deployment – DHCP release and renew values were propagated from CAS to the client so that client can perform IP refresh.
  §The configuration of WLC and AP’s needs to be done like in Wireless L2 OOB VGW deployments.
  §There are no ports in WLC hence Port profile is not required
  §WLC allows only two VLAN’s namely Quarantine (Auth) and Access VLAN’s. Hence the support for User role Vlans is not there in Wireless deployments.
  §iPhone/iPad support is also not present. Reason being IP address cannot be refreshed in iPhone/iPad due to lack of support for Java Applet/ActiveX.
  §The authentication trap control needs to be checked in order for the WLC to send 599.0.4 trap.

• Wireless VLANs and WLC

  Hello,
  Designing a configuration for a Wireless solution. Have a 2951 with SRE-WLC and 4 port switch module. The documentation at
  http://www.cisco.com/en/US/docs/wireless/controller/controller_modules/sre/installation/guide/wlcsreinst.html#wp1072942 arised couple of questions. Exact part of diagram from documentation is attached.
  The question is that VLANs configured on SRE-WLC and ones configured on local switched belong to different subnets. Why? For example on SRE-WLC VLAN 20 - 55.20.0.0/24, but on switch - VLAN 20 - 20.1.1.0/24. Why?
  Thanks!

  Hi George,
  Today i tried implementing APs on different VLAN than MGMT. Here is what I got:
  1. New out-of-box APs didnt join to WLC once placed directly to APs VLAN. However they were able to join the WLC once I put them back to MGMT Vlan. They upgraded their IOS from WLC, joined compeletely. After that I moved them back to APs VLAN and they started to join. So, here is the procedure - Open new AP from box, connect it to MGMT VLAN, wait for joining to WLC and then move them to APs VLAN. This is a little bit strange. Also I noticed that they were unable to join teh WLC even on MGMT vlan if MGMT vlan is tagged on WLC and that tagged vlan is allowed on trunk. I have WLC on SRE, MGF trunk, VLANS and DHCP pools with option 43 configured. Will continue to investigate tomorrow.
  2. What was the most difficult and problematic issue is that the LED was disabled on all APs after joining the WLC. I have been thinking that there is an error but only then found that APs by default turned off LED after joining the WLC. Issuing config ap led-status enable all on wlc solved the problem.
  3. Also I regularly have been receiving
  %PARSER-4-BADCFG: Unexpected end of configuration file.
  during the AP joining to WLC. Dont know why. My APs are LAP1041n.
  ANyways, will continue digging tomorrow, hopefully will find a stable solution. My ideal solution will be:
  1. WLC Management is on MGMT VLAN - tagged vlan 20, static IP assignments.
  2. APs on separate AP VLAN - tagged vlan 15 - dynamic IP assignments from DHCP pool on ISR with option 43.
  3. Clients are on separate USERS VLAN - tagged vlan 10
  The native VLAN will be other VLAN - VLAN 25.

• Wireless AP design for Wireless IPPhone 7921

  FOr a client they are asking 40 Wireless IP Phone, with 3 floors, IPT side I am clear in design, but for access point design I am bit confused with standalone and WLC design.
  Could please light me on Wireless design for standalone AP and WLC controller with AP , in the design plan to give both as options.
  And also how to confirm a AP is a standalone or it wil work only with WLC.
  Please light me with wireless design for IPT.

  I would suggest you subcontract this to a partner who is familiar with wireless voice designs. There are a lot of details and caveats to make sure it works.
  For example: autonomous APs are not viable for voice installations. You need a controller to prevent the roam times from interrupting the call.
  At a minimum, you should read the Voice over Wireless LAN Design Guide:
  http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns820/landing_voice_wireless.html

• Post-Authentication ACL in Wireless Controller question

  Hey guys,
  I'm trying to setup an ACL for "after" people login to our wireless network to allow them access ONLY to web, not file servers or sql servers, etc.
  I found how to configure an ACL, but it's pre-authentication and after people log in, they have access to everything.
  Any ideas?
  I'm using a Wireless Controller 2504
  Thanks.

  I think I found it, there is a override ACL after login, I set this one up (see picture), but even though I can do a nslookup and I can ping any site, when I try to go online, I get nothing.
  What am I forgetting?