Cisco Flex 7500 Deployment Manual page 96

Wireless branch controller

Hide thumbs Also See for Flex 7500:

Installation manual (42 pages)

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

page of 126

/ 126
Bookmarks

Client ACL Support

Guidelines

•

Client ACL Support

Prior to release 7.5, we support FlexConnect ACLs on the VLAN. We also support AAA override of

VLANs. If a client gets an AAA override of VLAN, it is placed on the overridden VLAN and the ACL

on the VLAN applies for the client. If an ACL is received from the AAA for locally switched clients, we

ignore the same. With release 7.5, we address this limitation and provide support for client based ACLs

for locally switched WLANs.

Client ACL Overview

Flex 7500 Wireless Branch Controller Deployment Guide

The WLAN should be locally switched.

The configuration will be pushed to the AP only if the WLAN is broadcasted on that AP.

This feature allows application of Per-Client ACL for locally switching WLANs.

Client ACL is returned from the AAA server on successful Client L2 Authentication/Web Auth

as part of Airespace Radius Attributes.

The controller will be used to pre-create the ACLs at the AP. When the AP receives the ACL

configuration, it will create the corresponding IOS ACL. Once, AAA server provides the ACL,

the client structure will be updated with this information.

There will be configuration per FlexConnect group as well as per AP. A maximum of 16 ACLs

can be created for a FlexConnect group and a maximum of 16 ACLs can be configured per-AP.

In order to support fast roaming (CCKM/PMK) for the AAA overridden clients, the controller

will maintain these ACL in the cache and push them to all APs which are part of the

FlexConnect group.

In the case of central authentication, when the controller receives the ACL from the AAA server,

it will send the ACL name to the AP for the client. For locally authenticated clients, the ACL

will be sent from the AP to the controller as part of CCKM/PMK cache, which will then be

distributed to all APs belonging to the FlexConnect-group.

Maximum of 16 Client ACLs per FlexConnect group, maximum of 16 Client ACLs per-AP

Total of 96 ACLs can be configured on the AP (32 VLAN-ACL, 16 WLAN-ACL, 16 Split

tunnel, 16 FlexConnect Client ACL, 16 AP Client ACL), each ACL with 64 rules.

The ACL will be applied on the dot11 side for the client in question. This ACL will be applied

in addition to the VLAN ACL, which is applied on the VLAN of the Ethernet interface of the

AP.

Client ACL applied in addition to VLAN-ACL, both can exist simultaneously and are applied

serially.

Cisco Flex 7500 Deployment Manual page 96

Related Manuals for Cisco Flex 7500

Related Products for Cisco Flex 7500