Cisco WLC CPU ACL

2015-12-15 Thread Dennis Xu 
Has anyone implemented CPU ACL on Cisco WLCs and any lessons learned? 

I would like to apply CPU ACLs to protect WLC dynamic interfaces and hope it 
will not break anything. :)

Thanks!

---
Dennis Xu, MASc, CCIE #13056
Analyst 3, Network Infrastructure
Computing and Communications Services(CCS)
University of Guelph

519-824-4120 Ext 56217
d...@uoguelph.ca 
www.uoguelph.ca/ccs

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: Cisco WLC CPU ACL

2015-12-15 Thread Felix Windt 
We are running CPU ACLs both on IPv4 and IPv6. The obvious thing is that you 
want to make sure to account for all your CAPWAP sources and all your 
management stations. If you use Prime Infrastructure to manage your WLCs, 
definitely don't forget accounting for that.

Also for Prime: its ACL builder is horrible, so we kept it intentionally simple 
with the least number of ACEs (often permitting all IP traffic instead of 
branching out to protocols, for example on the dedicated networks for APs 
sourcing CAPWAP tunnels). The worst gotcha is that ACLs are submitted line by 
line, which at one point locked out Prime itself since it created something 
that didn't account for itself. The work around is to always first disable CPU 
ACLs entirely, then to submit the new ACL, double check that it's applied 
correctly, and to only then re-enable it for enforcement.

Otherwise we've had no issues whatsoever.

Hope that helps,

felix

Dartmouth


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Dennis Xu <d...@uoguelph.ca>
Sent: Tuesday, December 15, 2015 12:03 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Cisco WLC CPU ACL

Has anyone implemented CPU ACL on Cisco WLCs and any lessons learned?

I would like to apply CPU ACLs to protect WLC dynamic interfaces and hope it 
will not break anything. :)

Thanks!

---
Dennis Xu, MASc, CCIE #13056
Analyst 3, Network Infrastructure
Computing and Communications Services(CCS)
University of Guelph

519-824-4120 Ext 56217
d...@uoguelph.ca
www.uoguelph.ca/ccs

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Cisco WLC CPU ACL

2015-12-15 Thread Matthew Newton 
On Tue, Dec 15, 2015 at 08:54:15PM +, McClintic, Thomas wrote:
> My understanding is that the CAPWAP traffic is not controlled by the CPU ACL.

"show rules" at the CLI will show you the built-in ACLs which are
automatically added to cover things like this. It covers everything
normally used, though I've found it misses RADIUS CoA udp/3799.
(This wasn't the case years ago on version 4.)

We use CPU ACLs - work fine. Apart from one 2504 controller where
applying the CPU ACL just blocks pretty much everything, so
there's a bug somewhere on that device. On everything else
(another 2504, 5508s, 8510s, and even on the old 4404s) never had
a problem.

Only real issue I have is that the Cisco/Airespace programmers
were smoking something far too strong when they designed ACLs for
AireOS. The syntax needs replacing with IOS ACLs as soon as
possible. They work fine, but are tedious to configure from the
CLI. So other comments stand - disable ACLs, apply new one,
re-enable ACL. You pretty much have to do that anyway, so just
make sure rule 1 permits SSH from your management network and
you'll be fine if something does happen to go wrong.

Matthew


-- 
Matthew Newton, Ph.D. 

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, 

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: Cisco WLC CPU ACL

2015-12-15 Thread McClintic, Thomas 
My understanding is that the CAPWAP traffic is not controlled by the CPU ACL.


-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Felix Windt
Sent: Tuesday, December 15, 2015 2:12 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Cisco WLC CPU ACL

We are running CPU ACLs both on IPv4 and IPv6. The obvious thing is that you 
want to make sure to account for all your CAPWAP sources and all your 
management stations. If you use Prime Infrastructure to manage your WLCs, 
definitely don't forget accounting for that.

Also for Prime: its ACL builder is horrible, so we kept it intentionally simple 
with the least number of ACEs (often permitting all IP traffic instead of 
branching out to protocols, for example on the dedicated networks for APs 
sourcing CAPWAP tunnels). The worst gotcha is that ACLs are submitted line by 
line, which at one point locked out Prime itself since it created something 
that didn't account for itself. The work around is to always first disable CPU 
ACLs entirely, then to submit the new ACL, double check that it's applied 
correctly, and to only then re-enable it for enforcement.

Otherwise we've had no issues whatsoever.

Hope that helps,

felix

Dartmouth


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Dennis Xu <d...@uoguelph.ca>
Sent: Tuesday, December 15, 2015 12:03 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Cisco WLC CPU ACL

Has anyone implemented CPU ACL on Cisco WLCs and any lessons learned?

I would like to apply CPU ACLs to protect WLC dynamic interfaces and hope it 
will not break anything. :)

Thanks!

---
Dennis Xu, MASc, CCIE #13056
Analyst 3, Network Infrastructure
Computing and Communications Services(CCS) University of Guelph

519-824-4120 Ext 56217
d...@uoguelph.ca
www.uoguelph.ca/ccs

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at 
https://urldefense.proofpoint.com/v2/url?u=http-3A__www.educause.edu_groups_=BQIFAw=6vgNTiRn9_pqCD9hKx9JgXN1VapJQ8JVoF8oWH1AgfQ=rYfqH_8oTvcXxRxUI3x3m3Y7Nwgir7tnuoGbdZsrUM4=lLzJN8EUNYD1OEPjeKEOjfK88oz2vOYVI9qjZXbcvZs=WtInRNasNnDuX0hR7DYMPvIt1bWxEuvD0IZexsfsg38=
 .

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at 
https://urldefense.proofpoint.com/v2/url?u=http-3A__www.educause.edu_groups_=BQIFAw=6vgNTiRn9_pqCD9hKx9JgXN1VapJQ8JVoF8oWH1AgfQ=rYfqH_8oTvcXxRxUI3x3m3Y7Nwgir7tnuoGbdZsrUM4=lLzJN8EUNYD1OEPjeKEOjfK88oz2vOYVI9qjZXbcvZs=WtInRNasNnDuX0hR7DYMPvIt1bWxEuvD0IZexsfsg38=
 .

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.