Cisco Cisco Aironet 350 Mini-PCI Wireless LAN Client Adapter Guia Do Desenho
4-24
Enterprise Mobility 4.1 Design Guide
OL-14435-01
Chapter 4 Cisco Unified Wireless Network Architecture—Base Security Features
Cisco Unified Wireless Security Features
ACL and Firewall Features
The WLC allows access control lists (ACLs) to be defined for any interface configured on the WLC, as
well as ACLs to be defined for the CPU of the WLC itself. These ACLs can be used to enforce policy
on specific WLANs to limit access to particular addresses and/or protocols, as well as to provide
additional protection to the WLC itself.
well as ACLs to be defined for the CPU of the WLC itself. These ACLs can be used to enforce policy
on specific WLANs to limit access to particular addresses and/or protocols, as well as to provide
additional protection to the WLC itself.
Interface ACLs act on WLAN client traffic in and out of the interfaces to which the ACLs are applied.
CPU ACLs are independent of interfaces on the WLC, and are applied to all traffic to and from the WLC
system.
CPU ACLs are independent of interfaces on the WLC, and are applied to all traffic to and from the WLC
system.
shows the ACL Configuration page. The ACL can specify source and destination address
ranges, protocols, source and destination ports, differentiated services code point (DSCP), and direction
in which the ACL is to be applied. An ACL can be created out of a sequence of various rules.
in which the ACL is to be applied. An ACL can be created out of a sequence of various rules.
Figure 4-20
ACL Configuration Page
DHCP and ARP Protection
The WLC acts as a relay agent for WLAN client DHCP requests. In doing so, the WLC performs a
number of checks to protect the DHCP infrastructure. The primary check is to verify that the MAC
address included in the DHCP request matches the MAC address of the WLAN client sending the
request. This protects against DHCP exhaustion attacks, by restricting a WLAN client to one DHCP
request (IP address) for its own interface. The WLC by default does not forward broadcast messages
from WLAN clients back out onto the WLAN, which prevents a WLAN client from acting as a DHCP
server and spoofing incorrect DHCP information.
number of checks to protect the DHCP infrastructure. The primary check is to verify that the MAC
address included in the DHCP request matches the MAC address of the WLAN client sending the
request. This protects against DHCP exhaustion attacks, by restricting a WLAN client to one DHCP
request (IP address) for its own interface. The WLC by default does not forward broadcast messages
from WLAN clients back out onto the WLAN, which prevents a WLAN client from acting as a DHCP
server and spoofing incorrect DHCP information.