topic Re: WLC ACL Limit in Network Access Control

WLC ACL Limit

cfnisupport — Mon, 13 Nov 2017 14:56:21 GMT

How are large organizations dealing with the 64 ACL and 64 ACE limit on the WLC's? We are deploying ISE and we are early into our deployment and already had an instance where we hit the 64 ACE limit. It is easy to hit this limit, in my opinion, when you're dealing with Active Directory traffic and other 'chatty' type services.

One way around this I've found is to not restrict by port, but to just allow all TCP traffic to the destination IP, but that isn't as secure. That doesn't bother me too much, but I'm still concerned about the scale.

Anyone have any input? Since the WLC's don't support dACL, I'm really starting to wonder how we scale.

Thanks,

-Steve

Re: WLC ACL Limit

Jason Kunst — Mon, 13 Nov 2017 15:04:17 GMT

Would recommend deploying TrustSec scalable group tags.

Re: WLC ACL Limit

cfnisupport — Mon, 13 Nov 2017 15:07:24 GMT

Thanks for the quick response. Can we do TrustSec scalable group tags only on the WLC's without having to do TrustSec on the rest of the network?

Re: WLC ACL Limit

hslai — Mon, 13 Nov 2017 15:28:27 GMT

It needs some network devices (e.g. ASA) between the endpoints and the servers to perform the enforcement.

Re: WLC ACL Limit

Jason Kunst — Mon, 13 Nov 2017 15:30:41 GMT

I would recommend learning more about Trustsec, classification happens on the WLC but enforcement would happen at other points (data center)

https://www.youtube.com/watch?v=78-GV7Pz18I

You can certainly start with wireless only but the benefits would also be available on the wired side.

Re: WLC ACL Limit

paul — Mon, 13 Nov 2017 23:00:58 GMT

I am curious about your wireless policies that have so many ACLs. What are you trying to accomplish with your wireless setup?

Re: WLC ACL Limit

jordan.villarreal — Tue, 14 Nov 2017 13:56:18 GMT

We're trying to lock down a small group of Windows 10 Surface Pro's down to only what it needs to communicate with on the network, inside and out. Which means locking down to Meraki, our internal servers necessary for the software on the Surfaces, basic network services, and the real killer is making sure the Surface's can communicate with our domain controllers and vice versa. We have 20 domain controllers that these devices could be possibly communicating with at any given point in time. So 20 inbound rules, 20 outbound rules, not locking down to ports, that's 40 rules just to ensure proper domain configuration. cfnisupport

Re: WLC ACL Limit

cfnisupport — Tue, 14 Nov 2017 14:35:05 GMT

We are in healthcare, so we have a ton of devices. Think IVPumps, mobile x-rays, tablets providers use, tablets patients touch, mobile glucose test machines which upload their devices. Heck, even our emergency lights and our wall clocks are all on WiFi. As you can imagine, we can quickly blow past 64x64.

My favorite part about the video Jason posted? Just after a minute in, it states there is nothing to 'bolt on'. But that's not true. We need to bolt on an ASA!

Re: WLC ACL Limit

Jason Kunst — Tue, 14 Nov 2017 14:39:10 GMT

Yes at the enforcement point you have to bolt on a device capable of enforcement based off the SGT.

I recommend reaching out to trustsec community about anything further about trustsec, I understand a meeting is being setup. Please work with them further

Re: WLC ACL Limit

jeaves@cisco.com — Wed, 15 Nov 2017 19:26:07 GMT

Spent some time with the guys tonight on a webex.

Went through wireless operation with TrustSec and how it could dramatically help with TCAM limits on WLCs.

Available to help further if needed.

Regards, Jonothan.