Solved

cisco WLC 4402 and ACLs

Posted on 2014-03-24
4
1,339 Views
Last Modified: 2014-03-26
I have a WLC 4402 with a dozen LW1130s and would like see how to open some things up on the Guest network.  I can find no ACLs on the WLC, under Security > Acess Control LIstsm there are none listed.  But I want to test an application that needs a few UDP & TCP ports open to talk between wireless iPads.  I am assuming that the WLC is blocking all of the traffic between peers on the Guest WLAN, but am not sure.  Can anyone tell me if that is the default for the Guest network, to block all internal traffic between peers?  And how can I define a port to allow traffic between clients on the guest network?   Thanks
0
Comment
Question by:SIDESHOWBLAH
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 6

Expert Comment

by:Jordan Medlen
ID: 39951148
I believe that Guest WLANs are just normal WLANs that you can configure just for guests and throw that traffic on a separate VLAN. You can also control what type of authentication is used to gain access to that WLAN. Initially, until authentication has happened, no access between any devices, peer or otherwise, would be had until that is achieved.

I use just regular SSIDs and VLANs for my guest wifi. If you're referring to the "Guest LAN" check box in the controller, I believe this is for extending the guest network functionality from the wireless to the wired LAN as well.

ACLs are managed under Security -> Access Control Lists (Left hand menu) -> Access Control Lists. This is where I manage all of my wireless ACLs.
0
 
LVL 46

Expert Comment

by:Craig Beck
ID: 39951625
Yup, Guest WLANs are regular WLANs, SSID-wise.

To stop clients from seeing each-other there's an option called 'P2P Blocking Action' which stops all clients on the same AP from seeing each-other.  You'll find this option on the WLAN's 'Advanced' tab...

WLAN P2P Blocking Action
Set that to 'Disabled' and it will allow clients to see eachother.

Note though that this doesn't stop a client from seeing a client on another AP unless the 'Forward-Upstream' option is set and there is an ACL at the upstream router.
0
 

Author Comment

by:SIDESHOWBLAH
ID: 39952966
Thanks.  So to allow clients to see each other, the P2P Blocking Action should be set to Disabled.  But then to allow traffic between APs, what would be the desired setting?
0
 
LVL 46

Accepted Solution

by:
Craig Beck earned 500 total points
ID: 39953055
Disabled.

I need to explain my previous comment to clarify what I mean.  I was a bit hazy so apologies for that.

There were issues with code in v7 which meant this didn't work as expected (especially 7.0.116.0).  This also doesn't work as you'd expect for FlexConnect APs.

The way it is supposed to work is this...

Disabled - allows all comms between clients.  ACLs upstream at the router don't affect clients on the same WLAN as it's Layer2 (before routing).  The WLC just passes traffic within its own internal switch.

Drop - stops ALL clients on the WLAN from seeing eachother as long as ALL APs are on the same WLC.  If you have more than one WLC this doesn't stop your clients from seeing clients attached to the same WLAN but via APs on a different WLC.  What happened in some versions of code is that the traffic was only limited to the same AP (as it used to be in Autonomous code).  This was fixed in 7.0.220.0 IIRC.

Forward-Upstream - forces all traffic up to the router.  This stops all comms across the APs and enables the use of ACLs to determine what's allowed between clients.
0

Featured Post

Creating Instructional Tutorials  

For Any Use & On Any Platform

Contextual Guidance at the moment of need helps your employees/users adopt software o& achieve even the most complex tasks instantly. Boost knowledge retention, software adoption & employee engagement with easy solution.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hopefully this article will help someone who's had the same issues I had. I have a Dell Wireless 1390 WLAN Mini-Card and Windows 7, and for the past couple of days I was beyond frustrated because my wireless laptop was not able to access the Inte…
Need WiFi? Often, there are perfectly good networks that don't have WiFi capability - and there's a need to add it.  - Perhaps you have an Ethernet port into a network but no WiFi nearby. - Perhaps you have a powerline extender and no WiFi at the…
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question