Cisco Cisco MGX-FRSM-HS2 B Serial Frame Service Module Manuel Technique
Components Used
This document is not restricted to specific software and hardware versions.
Conventions
Refer to Cisco Technical Tips Conventions for more information on document conventions.
Understand ACLs on a WLC
ACLs are made up of one or more ACL lines followed by an implicit "deny any any" at the end of the ACL.
Each line has these fields:
Each line has these fields:
Sequence Number
•
Direction
•
Source IP Address and Mask
•
Destination IP Address and Mask
•
Protocol
•
Src Port
•
Dest Port
•
DSCP
•
Action
•
This document describes each of these fields:
Sequence NumberIndicates the order that ACL lines are processed against the packet. The packet is
processed against the ACL until it matches the first ACL line. It also allows you to insert ACL lines
anywhere in the ACL even after the ACL is created. For example, if you have an ACL line with a
sequence number of 1, you can insert a new ACL line in front if it by putting in a sequence number of
1 in the new ACL line. This automatically moves the current line down in the ACL.
processed against the ACL until it matches the first ACL line. It also allows you to insert ACL lines
anywhere in the ACL even after the ACL is created. For example, if you have an ACL line with a
sequence number of 1, you can insert a new ACL line in front if it by putting in a sequence number of
1 in the new ACL line. This automatically moves the current line down in the ACL.
•
DirectionTells the controller in which direction to enforce the ACL line. There are 3 directions:
Inbound, Outbound, and Any. These directions are taken from a position relative to the WLC and not
the wireless client.
Inbound, Outbound, and Any. These directions are taken from a position relative to the WLC and not
the wireless client.
InboundIP packets sourced from the wireless client are inspected to see if they match the
ACL line.
ACL line.
♦
OutboundIP packets destined to the wireless client are inspected to see if they match the
ACL line.
ACL line.
♦
AnyIP packets sourced from the wireless client and destined to the wireless client are
inspected to see if they match the ACL line. The ACL line is applied to both Inbound and
Outbound directions.
inspected to see if they match the ACL line. The ACL line is applied to both Inbound and
Outbound directions.
Note: The only address and mask that should be used when you select Any for the direction is
0.0.0.0/0.0.0.0 (Any). You must not specify a specific host or subnet with the "Any" direction
because a new line would be required with the addresses or subnets swapped to allow for
return traffic.
0.0.0.0/0.0.0.0 (Any). You must not specify a specific host or subnet with the "Any" direction
because a new line would be required with the addresses or subnets swapped to allow for
return traffic.
The Any direction should only be used in specific situations where you want to block or allow
a specific IP protocol or port in both directions, going to the wireless clients (Outbound) and
coming from the wireless clients (Inbound).
a specific IP protocol or port in both directions, going to the wireless clients (Outbound) and
coming from the wireless clients (Inbound).
When you specify IP addresses or subnets, you must specify the direction as Inbound or
Outbound and create a second new ACL line for return traffic in the opposite direction. If an
Outbound and create a second new ACL line for return traffic in the opposite direction. If an
♦
•