Cisco Cisco MGX-FRSM-HS2 B Serial Frame Service Module Technisches Handbuch
ACLs on Wireless LAN Controllers: Rules,
Limitations, and Examples
Limitations, and Examples
Document ID: 81733
Contents
Introduction
Prerequisites
Requirements
Components Used
Conventions
Understand ACLs on a WLC
ACL Rules and Limitations
Limitations of WLC Based ACLs
Rules for WLC Based ACLs
Configurations
ACL Example with DHCP, PING, HTTP, and DNS
ACL Example with DHCP, PING, HTTP, and SCCP
Appendix: 7920 IP Phone Ports
Related Information
Prerequisites
Requirements
Components Used
Conventions
Understand ACLs on a WLC
ACL Rules and Limitations
Limitations of WLC Based ACLs
Rules for WLC Based ACLs
Configurations
ACL Example with DHCP, PING, HTTP, and DNS
ACL Example with DHCP, PING, HTTP, and SCCP
Appendix: 7920 IP Phone Ports
Related Information
Introduction
This document provides information about access control lists (ACLs) on Wireless LAN Controllers (WLCs).
This document explains the current limitations and rules, and gives relevant examples. This document is not
meant to be a replacement for ACLs on Wireless LAN Controller Configuration Example, but to provide
supplemental information.
This document explains the current limitations and rules, and gives relevant examples. This document is not
meant to be a replacement for ACLs on Wireless LAN Controller Configuration Example, but to provide
supplemental information.
Note: For Layer 2 ACLs or additional flexibility in Layer 3 ACL rules, Cisco recommends that you configure
ACLs on the first hop router connected to the controller.
ACLs on the first hop router connected to the controller.
The most common mistake occurs when the protocol field is set to IP (protocol=4) in an ACL line with the
intention of permitting or denying IP packets. Because this field actually selects what is encapsulated inside
the IP packet, such as TCP, User Datagram Protocol (UDP), and Internet Control Message Protocol (ICMP), it
translates into blocking or allowing IP−in−IP packets. Unless you want to block Mobile IP packets, IP must
not be selected in any ACL line. Cisco bug ID CSCsh22975 (registered customers only) changes IP to
IP−in−IP.
intention of permitting or denying IP packets. Because this field actually selects what is encapsulated inside
the IP packet, such as TCP, User Datagram Protocol (UDP), and Internet Control Message Protocol (ICMP), it
translates into blocking or allowing IP−in−IP packets. Unless you want to block Mobile IP packets, IP must
not be selected in any ACL line. Cisco bug ID CSCsh22975 (registered customers only) changes IP to
IP−in−IP.
Prerequisites
Requirements
Ensure that you meet these requirements before you attempt this configuration:
Knowledge of how to configure the WLC and Lightweight Access Point (LAP) for basic operation
•
Basic knowledge of Lightweight Access Point Protocol (LWAPP) and wireless security methods
•