Wireless Access

Our controller has been deployed at edge; facing the internet with the public IP address.

The users are getting IP addresses from controller's internal DHCP server and those are source natted to public IP address of controller,

Every thing is working perfectly fine, but now issue is that the management of controller is accessible from any where in the world because of public IP address. We want to restric the controller not to be access from outer world, I guess it can be done using ACL but i m not very good in it. I shall be thankful if some one help me to configure the same.

 

 

I have planned to implement the following ACL on controller uplink Interface but before that  i want to make sure that my user traffic will not be suffer after applying that.

 

ip access-list session "Controller-Access"
alias "management-subnet"  host xxx.xxx.xxx.xxx tcp 4343 4343 permit queue low
any host xxx.xxx.xxx.xxx tcp 4343 4343 deny queue low
alias "management-subnet"  host xxx.xxx.xxx.xxx "svc-ssh" permit queue low
any host xxx.xxx.xxx.xxx "svc-ssh" deny queue low
any any any permit queue low
!
interface gigabitethernet 1/0
ip access-group "Controller-Access" session

 

where xxx.xxx.xxx.xxx is controller public IP address. The only doubt in my mind is that all the user traffic are natting in public ip address of controller, so this policy may cause to distrupt that traffic

 

You can create an ACL (access-group) and apply it to your interface 

-Create a netdestination to the network you want to allow to reach the controller and also a netdestination for the controller IP

netdestination ACCESS

network 10.10.0.0 255.255.0.0

 

netdestination CONTROLLER-IPS

network 172.16.0.0 255.255.0.0

 

ip access-list session CONTROLLER-PROTECTION-ACL
alias ACCESS alias CONTROLLER-IPS svc-ssh permit

alias ACCESS alias CONTROLLER-IPS svc-https permit

alias ACCESS alias CONTROLLER-IPS svc-icmp permit

alias CONTROLLER-IPS alias ACCESS any permit
any alias CONTROLLER-IPS-DEST-B svc-ssh deny

any alias CONTROLLER-IPS-DEST-B svc-https deny

any alias CONTROLLER-IPS-DEST-B svc-icmp deny

any  any any permit

 

Apply it to the interface 

 

interface gig 0/0/2

ip access-group "CONTROLLER-PROTECTION-ACL" session

Hi Vicor,

That is the same configuration i have pasted above, in this configuration my doubt is that all of the user traffic is natting into controller's public IP address, so applying this access group on Uplink port may affect the user data communication.
Please do confirm that users will not be affected after applying this access group to the uplink interface

 

 

The ACL I have added just  blocks SSH/HTTPS/ICMP to your controller for unknown or not define networks.

 

Everything else should be allowed

ya i got it.. i am only worried about HTTPS, I will also test it and and will get back to you whenever i will get the down time for the customer,

well thanks Victor for your support

 

As long as you define the networks that you want to allow you should be fine