Cisco WLC CPU ACL
Has anyone implemented CPU ACL on Cisco WLCs and any lessons learned? I would like to apply CPU ACLs to protect WLC dynamic interfaces and hope it will not break anything. :) Thanks! --- Dennis Xu, MASc, CCIE #13056 Analyst 3, Network Infrastructure Computing and Communications Services(CCS) University of Guelph 519-824-4120 Ext 56217 d...@uoguelph.ca www.uoguelph.ca/ccs ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: Cisco WLC CPU ACL
We are running CPU ACLs both on IPv4 and IPv6. The obvious thing is that you want to make sure to account for all your CAPWAP sources and all your management stations. If you use Prime Infrastructure to manage your WLCs, definitely don't forget accounting for that. Also for Prime: its ACL builder is horrible, so we kept it intentionally simple with the least number of ACEs (often permitting all IP traffic instead of branching out to protocols, for example on the dedicated networks for APs sourcing CAPWAP tunnels). The worst gotcha is that ACLs are submitted line by line, which at one point locked out Prime itself since it created something that didn't account for itself. The work around is to always first disable CPU ACLs entirely, then to submit the new ACL, double check that it's applied correctly, and to only then re-enable it for enforcement. Otherwise we've had no issues whatsoever. Hope that helps, felix Dartmouth From: The EDUCAUSE Wireless Issues Constituent Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Dennis Xu <d...@uoguelph.ca> Sent: Tuesday, December 15, 2015 12:03 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Cisco WLC CPU ACL Has anyone implemented CPU ACL on Cisco WLCs and any lessons learned? I would like to apply CPU ACLs to protect WLC dynamic interfaces and hope it will not break anything. :) Thanks! --- Dennis Xu, MASc, CCIE #13056 Analyst 3, Network Infrastructure Computing and Communications Services(CCS) University of Guelph 519-824-4120 Ext 56217 d...@uoguelph.ca www.uoguelph.ca/ccs ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Cisco WLC CPU ACL
On Tue, Dec 15, 2015 at 08:54:15PM +, McClintic, Thomas wrote: > My understanding is that the CAPWAP traffic is not controlled by the CPU ACL. "show rules" at the CLI will show you the built-in ACLs which are automatically added to cover things like this. It covers everything normally used, though I've found it misses RADIUS CoA udp/3799. (This wasn't the case years ago on version 4.) We use CPU ACLs - work fine. Apart from one 2504 controller where applying the CPU ACL just blocks pretty much everything, so there's a bug somewhere on that device. On everything else (another 2504, 5508s, 8510s, and even on the old 4404s) never had a problem. Only real issue I have is that the Cisco/Airespace programmers were smoking something far too strong when they designed ACLs for AireOS. The syntax needs replacing with IOS ACLs as soon as possible. They work fine, but are tedious to configure from the CLI. So other comments stand - disable ACLs, apply new one, re-enable ACL. You pretty much have to do that anyway, so just make sure rule 1 permits SSH from your management network and you'll be fine if something does happen to go wrong. Matthew -- Matthew Newton, Ph.D.Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: Cisco WLC CPU ACL
My understanding is that the CAPWAP traffic is not controlled by the CPU ACL. -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Felix Windt Sent: Tuesday, December 15, 2015 2:12 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Cisco WLC CPU ACL We are running CPU ACLs both on IPv4 and IPv6. The obvious thing is that you want to make sure to account for all your CAPWAP sources and all your management stations. If you use Prime Infrastructure to manage your WLCs, definitely don't forget accounting for that. Also for Prime: its ACL builder is horrible, so we kept it intentionally simple with the least number of ACEs (often permitting all IP traffic instead of branching out to protocols, for example on the dedicated networks for APs sourcing CAPWAP tunnels). The worst gotcha is that ACLs are submitted line by line, which at one point locked out Prime itself since it created something that didn't account for itself. The work around is to always first disable CPU ACLs entirely, then to submit the new ACL, double check that it's applied correctly, and to only then re-enable it for enforcement. Otherwise we've had no issues whatsoever. Hope that helps, felix Dartmouth From: The EDUCAUSE Wireless Issues Constituent Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Dennis Xu <d...@uoguelph.ca> Sent: Tuesday, December 15, 2015 12:03 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Cisco WLC CPU ACL Has anyone implemented CPU ACL on Cisco WLCs and any lessons learned? I would like to apply CPU ACLs to protect WLC dynamic interfaces and hope it will not break anything. :) Thanks! --- Dennis Xu, MASc, CCIE #13056 Analyst 3, Network Infrastructure Computing and Communications Services(CCS) University of Guelph 519-824-4120 Ext 56217 d...@uoguelph.ca www.uoguelph.ca/ccs ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at https://urldefense.proofpoint.com/v2/url?u=http-3A__www.educause.edu_groups_=BQIFAw=6vgNTiRn9_pqCD9hKx9JgXN1VapJQ8JVoF8oWH1AgfQ=rYfqH_8oTvcXxRxUI3x3m3Y7Nwgir7tnuoGbdZsrUM4=lLzJN8EUNYD1OEPjeKEOjfK88oz2vOYVI9qjZXbcvZs=WtInRNasNnDuX0hR7DYMPvIt1bWxEuvD0IZexsfsg38= . ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at https://urldefense.proofpoint.com/v2/url?u=http-3A__www.educause.edu_groups_=BQIFAw=6vgNTiRn9_pqCD9hKx9JgXN1VapJQ8JVoF8oWH1AgfQ=rYfqH_8oTvcXxRxUI3x3m3Y7Nwgir7tnuoGbdZsrUM4=lLzJN8EUNYD1OEPjeKEOjfK88oz2vOYVI9qjZXbcvZs=WtInRNasNnDuX0hR7DYMPvIt1bWxEuvD0IZexsfsg38= . ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.