topic You can use FlexConnect in Wireless

ACL mapping in flexconnect

Jorge Conceicao — Mon, 05 Jul 2021 09:08:35 GMT

wireless lan controller

You can use FlexConnect

Freerk Terpstra — Thu, 18 Dec 2014 20:22:54 GMT

You can use FlexConnect groups for this, this feature can be found under the wireless tab from the main menu. First configure your FlexConnect ACL and then assign it to the correct WLAN ID in the FlexConnect group. Don't forget to assign your AP's to the new created FlexConnect group(s).

Hi FreerkThx for your answer

Jorge Conceicao — Fri, 19 Dec 2014 09:22:44 GMT

Hi Freerk

Thx for your answer but u can only assign flexconnect acl to vlan ID not wlan ID, thats the problem I have.

Hi Jorge,I tested your

Freerk Terpstra — Sat, 20 Dec 2014 15:16:01 GMT

Hi Jorge,

I tested your configuration and I see what your problem is. My proposed solution only works for centrally switches WLAN ID's, which is useless in this case and also a little strange (you should think that when you create a WLAN - ACL mapping under a FlexConnect group, it would be pushed to the AP instead of doing it on the WLC..). I guess that the internal working for filtering on the AP has to been changed before this can be done, because right now an ACL is being applied to the physical (sub)interface.

I'm afraid that there is no other solution besides using different VLAN's, which is the better solution anyway.

I don't see that you will be

Abhishek Abhishek — Fri, 20 Feb 2015 01:58:44 GMT

I don't see that you will be able to apply ACL on WLAN, You can only apply VLAN.

Jorge Check the following

gohussai — Thu, 19 Mar 2015 20:39:32 GMT

Jorge Check the following

Restrictions for FlexConnect ACLs

FlexConnect ACLs can be applied only to FlexConnect access points. The configurations applied are per AP and per VLAN.

You can configure up to 512 ACLs on a controller.

Non-FlexConnect ACLs that are configured on the controller cannot be applied to a FlexConnect AP.

FlexConnect ACLs do not support direction per rule. Unlike normal ACLs, Flexconnect ACLs cannot be configured with a direction. An ACL as a whole needs to be applied to an interface as ingress or egress.

You can define up to 512 FlexConnect ACLs, each with up to 64 rules (or filters). Each rule has parameters that affect its action. When a packet matches all the parameters pertaining to a rule, the action set pertaining to that rule is applied to the packet.

ACLs in your network might have to be modified because Control and Provisioning of Wireless Access Points (CAPWAP) use ports that are different from the ones used by the Lightweight Access Point Protocol (LWAPP).

All ACLs have an implicit deny all rule as the last rule. If a packet does not match any of the rules, it is dropped by the corresponding access point.

ACLs mapping on the VLANs that are created on an AP using WLAN-VLAN mapping, should be performed on a per-AP basis only. VLANs can be created on a FlexConnect group for AAA override. These VLANs will not have any mapping for a WLAN.

ACLs for VLANs that are created on a FlexConnect group should be mapped only on the FlexConnect group. If the same VLAN is present on the corresponding AP as well as the FlexConnect group, AP VLAN will take priority. This means that if no ACL is mapped on the AP, the VLAN will not have any ACL, even if the ACL is mapped to the VLAN on the FlexConnect group.

Note: This will give you clear idea How and what kind of ACL can be applied in flex connect mode.

Ref: http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-4/configuration/guides/consolidated/b_cg74_CONSOLIDATED/b_cg74_CONSOLIDATED_chapter_010001110.html