There are quite a few methods to filter certain kinds of traffic on Cisco’s autonomous access-points. This post gives a overview of the different methods and how to use them based on use cases.
Use case |
Configuration |
Deny wireless client to associate with AP |
access-list 700 deny 1c1d.862c.70f0 0000.0000.0000
access-list 700 permit 0000.0000.0000 ffff.ffff.ffffdot11 association mac-list 700 |
Deny wireless client to associate with specific SSID |
access-list 700 deny 1c1d.862c.70f0 0000.0000.0000
access-list 700 permit 0000.0000.0000 ffff.ffff.ffffinterface Dot11RadioX.X
bridge-group x input-address-list 700 |
Deny wireless client to client traffic |
interface Dot11RadioX.X
bridge-group x port-protected |
Deny wireless to wired IPv4 traffic |
ip access-list extended ACL-IPV4-DENY
deny icmp any any
permit ip any anyinterface Dot11RadioX.X
ip access-group ACL-IPV4-DENY in |
Deny wireless to wired IPv6 traffic |
ipv6 access-list ACL-IPV6-DENY
deny icmp any any
permit ipv6 any anyinterface Dot11RadioX
ipv6 traffic-filter ACL-IPV6-DENY in
Note: it is possible to apply this ACL on a sub interface as well (just as with IPv4), however this does not have any effect on the traffic. See also bug CSCva17063.
|
Deny wired to wireless IPv4 traffic |
ip access-list extended ACL-IPV4-DENY
deny icmp any any
permit ip any anyinterface gigabitEthernetX.X
ip access-group ACL-IPV4-DENY in |
Deny wired to wireless IPv6 traffic |
ipv6 access-list ACL-IPV6-DENY
deny icmp any any
permit ipv6 any anyinterface gigabitEthernetX
ipv6 traffic-filter ACL-IPV6-DENY in
Note: it is possible to apply this ACL on a sub interface as well (just as with IPv4), however this does not have any effect on the traffic. See also bug CSCva17063.
|
This post is a quick reference for configuring management authentication with RADIUS for AirOS and IOS-XE based WLCs.
Platform |
RADIUS server configuration |
AirOS |
Protocol: PAP_ASCII
Match on: Radius Service-Type equals “Nas Prompt”
Return back: Radius Service-Type = Administrative (full access)
Return back: Radius Service-Type = Nas Prompt (read-only access)
Return back: Radius Service-Type = Call-Back Administrative (lobby admin) |
IOS & IOS-XE |
Protocol: PAP_ASCII
Match on: Radius NAS Port id contains “tty” (for CLI)
Match on: Radius NAS Port Type “Virtual” (for GUI)
Return back: Cisco cisco-av-pair = shell:priv-lvl=15 |
When new licensing models are being published the first thing that vendors release are the marketing brochures. Due to this is selling the new “stuff” usually not the biggest problem (except when certain features have been moved to another “level”, but how often does that happen.. right?..). The more difficult part is finding out how the new process works and which codes, files and/or commands need to be entered on the box to get it running. This post is about Cisco ONE licensing in conjunction with the 5508 WLC to help fellow engineers 🙂 .
Regular licensing for the 5508 WLC is pretty straightforward: you buy a 5508 with a certain amount of AP licenses on it and you can upgrade this amount if needed up to 500 AP licenses. It gets a little more complicated if you add HA SSO in the mix: the primary 5508 needs to have a permanent license (12 AP licenses is enough), the secondary 5508 needs to be at least licensed with 50 AP licenses or needs to be a dedicated HA SKU unit (which is just as expensive as a regular 5508 with 50 AP licenses).
With Cisco ONE the idea is that you always buy controllers (C1-AIR-CT5508-K9) with zero AP licenses and depending on your needs you buy a certain amount of C1 licenses. The nice part with those C1 licenses is that also node licenses for Prime Infrastructure, MSE and ISE are included so you don’t need to order them separately anymore. When you order the controllers and C1 licenses you will receive a eDelivery link to download the PAK codes. Those PAK codes can be registered on the Cisco website and will give you for the 5508 controller regular LIC files which you need to upload to the controller. Nice detail: the C1-AIR-CT5508-K9 controller without any licenses can function as a HA SKU as well, which is a much cheaper solution comparing to the regular licensing.
What about mixing this new license model with install base? This is the tricky part. The official statement that I received from Cisco is that mixing the old and new licensing model is not supported and the install base should be migrated to the new form of licensing. From my own testing I can say that you can pair a regular licensed 5508 with an C1 controller as secondary unit in HA SSO setup without any problems. Same goes for upgrading the AP licenses of regular licensed controllers with C1 licenses. Official documentation regarding this is simply not available but I don’t think that Cisco wants you do to that…
Hopefully this information helps with your first Cisco ONE implementation 🙂
CCIE #53532, Frisian, curious, workaholic, wireless, security and more!