This Document will help you to understand
and configure the Access Control Lists
(Layer2 and Layer3) on Cisco Wireless
Controller.
Access Control List - As the name suggests, it is a way of controlling
the access/permission of the user (or service) as per our requirement.
An ACL is a list of access
control entries (ACE). Each ACE in an ACL identified a trustee and specified
the access rights allowed, denied or audited for that trustee.
An access list is list of
conditions that categorise packets, and are really helpful when you need to
exercise control over network traffic.
For example, you can set them to
make very specific decisions about regulating traffic patterns so that they’ll
only allow certain hosts to access web resources on the Internet while
restricting others. As for instance, if a server has an ACL that contains (Sam:
read, write (full access); Mike: read), this would give Sam permission to read
and write the file and Mike to only read it.
Layer 3 Access Control
List - It is a security feature that allows packet filtering based on
IP addresses. We can configure the L3 ACL on WLC as follows:
Go to Security>Access control
lists>Access Control lists.
Check the Enable Counter box to
get the number of hits on all configured ACL's.
To Create the new ACL,
Go to –New> “Access Control
list name” and ACL Type-IPv4 or IPv6.
IPv6 ACL is configured in the
same way as IPv4.
Fig-1
After creating the ACL by
providing the name, rules need to be added.
In Cisco controller, 64 ACL’s can
be defined, each with up to 64 rules (or filters).
To add the new rule, sequence
number, source, destination, protocol, DSCP, Direction and action needs to be
provided.
i.
Sequence -
It can be any number between 1-64.
ii.
Source -
It can be any specific IP segment or any.
iii.
Destination -
It can be any specific IP segment or any.
iv.
Protocol -
It can be TCP, UDP, IP, OSPF etc.
v.
DSCP - It
will tell the QOS property.
vi.
Direction -
Direction of the ACL in respect of WLC. If the traffic is coming from wireless
clients to WLC then it is called Inbound and if the traffic is going from WLC
to wireless clients, then it is called Outbound.
vii.
Action -
Action is the actual result of the Sequence match that is when the sequence is
matched then either it can be Deny or Permit.
Note: If the value of Source and destinations are ‘Any’ then the
direction can be incoming or outgoing; But If either of the value of source or
destination is not Any, then direction of the filter must be given, and an
inverse statement in the opposite direction must be created (With destination
becomes source and vice-versa).
Fig-2
After
creating of ACL, it can be put on Interfaces as shown in Fig-2.
Note:
- ACL on the interface can be override under
WLANs>WLAN>Advanced>Override interface ACL.
Layer 2 Access Control
List - Layer 2 protocols can be permitted or denied using L2 ACL.
The Maximum ACE (Access Control
Entries) per L2 ACL is 16; i.e., one L2 ACL can contain up to 16 Access Control
Entries.
Below is the list of some L2
Protocols available in ACL configuration in controller: -
i.
ARP (Address Resolution Protocol)
ii.
WOL (Wake-On-LAN)
iii.
LLDP (Link Layer Discovery Protocol)
iv.
CDP (Cisco Proprietary)
v.
IPv6 (Internet Protocol Version 6)
To create the L2 ACL –
Go to Security>Layer 2
ACL's>Click New> “Access Control List Name”
Fig-3
After ACL creation, ACEs/Rules
can be added.
Fig-4
L2 protocols which are present in
Wireless controller, can be denied or permitted.
Custom protocols can also be
added.
Fig-5
Suppose, CDP (Custom) protocol needs to be permitted or
denied then Ether Type (in the drop down list) needs to be mentioned as Custom
and then provide the Ether Type and Ether Mask field for the protocol (like CDP
Ether type is 2000 in Hexadecimal format).
Fig-6
After creation of L2 ACL it needs
to applied to the WLAN.
Fig-7
Reference: -
http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/71978-acl-wlc.html
http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/81733-contr-acls-rle.html
https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872%28v=vs.85%29.aspx
http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-6/configuration-guide/b_cg76/b_cg76_chapter_0110101.html
