Symptom
ACL applied outbound on wireless management/ap manager interface. ACL only permits source from AP manager IP to any. Deny ACE hits logs increment.
From the deny hit log, it is seen that dns traffic (dest port 53) sourced from wireless client destined to opendns server (defined as the name-server on C9800) is being dropped. It implies, WLC is leaking client traffic to ap manager interface.
Conditions
Basic setup in TAC lab see the same deny hit.
C9800 running 16.12.2s configured with a PSK SSID. One client is connected. No explicit traffic flow other than whatever traffic a connected client sends.
Further Problem Description
None.
PSIRT Evaluation
The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels.
If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
