Anyone here know how to implement an access list on a CISCO 4400 WCS? There is an entry in the GUI under Security called ACL, and it LOOKS like a standard CISCO ACL, but it doesn’t seem to be doing what I want. Basically, what I’m wanting to do is put in an ACL that allows the wireless users of the managed APs to send traffic out via port 80 (www), but nothing else. I can set up an ACL on the switch and apply it to the ports the APs are located in, but if I can use this device to do the same thing it will be a much more elegant solution. Trouble is, I’ve never used one of these managed AP servers before and I’m not sure what all it can do.
Here’s what I put in:
Seq 1, permit 10.10.10.0 255.255.255.0 (to any destination) protocol 80, direction outbound
Seq 2, deny 10.10.10.0 255.255.255.0 any protocol, any source or destination, any direction
It threw me for a bit of a loop that they don’t use a reversed mask in these ACLs here, but other than that it LOOKS like it should do what I’m wanting. Trouble is, it doesn’t seem to do anything at all.
Perhaps I’m missing something here, but a few questions.
Why not block at the firewall (assuming there’s one in place) or similar point? Cisco is great for bundling features into their gear, but for the sake of avoiding WLAN latency, I’d rather have perimeter hardware managing ACLs (not that redundant blocking is a bad thing if that’s the case).
Are you sure you only want to allow http traffic? What about port 443 (hell - lemme’ check my damned GMail!)? Do you really want to block DNS queries? How about SFTP (if it’s a client-facing business)? SMTP - you’ve got to have email, I would guess. The list goes on…
Perhaps you could share with us a little more about the purpose of this WLAN.
I also should have mentioned that ACLs on 4400s are kind of funky. They’re not looking at host-client connections.
From Cisco:
The WLC’s notion of inbound versus outbound is nonintuitive. It is from the perspective of the WLC facing towards the wireless client, rather than from the perspective of the client. So, inbound direction means a packet that comes into the WLC from the wireless client and outbound direction means a packet that exits from the WLC towards the wireless client.
I’ve set up a couple 4400’s but I didn’t bother with any ACLs.
For what you’re trying to do, rather than do it through the WLC ACL, just do it at the router. Put your guest SSID users on a specific subnet, and then at the router use PBR to only allow port 80 traffic to pass outbound from that subnet.
If your client can afford to get raped on a 4400 I assume they have a router capable of this.
I finally figured it out…sort of. The key is that the ACL on the 4400 is almost (but not quite) completely opposite to how CISCO normally does ACL’s. Once you have that in mind, it’s easy…ok, no, it wasn’t, but it was workable.
The reason I didn’t put the ACL on the ‘router’ is that this is a pretty decentralized organization with multiple buildings all over the city. It looked like I’d need to deploy an ACL on several devices to achieve the same thing I was able to do with putting it simply on the 4400.
There was one odd thing I never could figure out. For some reason putting in an ACL rule to allow HTTP (inbound and outbound to any any) breaks the users connection to that service. I ended up going with a reverse system that denied things like ICMP, Telnet, port 3389 and a few other ports to deny access to our core services. That left HTTP traffic working fine (as well as DHCP) while blocking at least the essentials. It would have been easier if I could have done a deny all and simply allowed HTTP/DNS/DHCP, but that just didn’t seem to work.
