topic Re: Configuring ACL at wlc in Wireless

Configuring ACL at wlc

interfacedy — Wed, 06 Apr 2022 03:44:30 GMT

What is purpose of ALC configured at wlc? The purpose is for security via blocking unusful traffice. so There are three kinds of ACL for it. first is to allow dhcp, and second is to allow dns traffice and third is to allow icmp. and then block all of others. Is this correct understanding for ACL function at WLC? Thank you

Re: Configuring ACL at wlc

balaji.bandi — Wed, 06 Apr 2022 07:00:11 GMT

Depends on the use case what ACL you like to use :

Good reference :

https://mrncciew.com/2013/03/15/wlc-access-control-list-acl/#:~:text=Direction%20%3A%20There%20are%203%20directions,either%20inbound%20or%20any%20direction.

Re: Configuring ACL at wlc

Flavio Miranda — Wed, 06 Apr 2022 11:34:58 GMT

You are not wrong but this understanding is too simple. WLC have different flavors of ACL. For example, if you want to block connection to the box, you need to use CPU ACL. But, if you want block or permit traffic for Guest clients, which is very important, you need to create and standard ACL. And you also have Fleconnect ALC and Layer 2 ACL.

You can apply ACL on the WLAN specifically or to all clients.

Re: Configuring ACL at wlc

Ambuj M — Wed, 06 Apr 2022 13:49:51 GMT

ACL on WLC is similar to ACL on any network device, it helps you block what you don’t want to pass through WLC, and allow what traffic you want to pass through WLC, the three you mentioned are not types of ACL but can be rules in a single ACL, most ACLs are layer3 so the before the traffic can be allowed or denied client needs atleast an IP, so dhcp is mostly allowed so client can get IP, so is DNS to resolve FQDN to IP and ICMP to test network connectivity etc.
Go through the link that’s shared by other members for more details.

Re: Configuring ACL at wlc

MHM Cisco World — Wed, 06 Apr 2022 14:42:02 GMT

this ACL is for Web-auth, allow the client get IP and resolve by DNS and deny every other traffic UNTIL the client is auth from Server after that the Permit any any will add automatically to you ACL.

Re: Configuring ACL at wlc

Leftz — Thu, 07 Apr 2022 16:07:44 GMT

Thank you all for your reply!

@MHM Cisco World ACL is for Web-auth. I cannot find the relation in several documents. Our WLC ios version is 8.10-. What is latest Cisco document talking about the relation. The ios 8.10- release document does not talk about the relation

Re: Configuring ACL at wlc

MHM Cisco World — Thu, 07 Apr 2022 16:15:29 GMT

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html

Re: Configuring ACL at wlc

Flavio Miranda — Thu, 07 Apr 2022 16:40:47 GMT

You need to know what kind of Web-auth you are going to use. If Local or Central. If Local, internal or external Portal.

Central Web auth is better but you need to have ISE.

The Access List for Web auth is pretty simple.

Re: Configuring ACL at wlc

Leftz — Wed, 13 Apr 2022 22:34:16 GMT

I think document mentioned by MHM has explanation. My understanding is we configure acl at wlc, then ise use it via acl name defined at wlc, right?

Re: Configuring ACL at wlc

Flavio Miranda — Wed, 13 Apr 2022 22:40:33 GMT

That´s correct. The ACL name must match. And you need to select NAC State on the Advanced tal of the Guest WLAN.

Re: Configuring ACL at wlc

interfacedy — Fri, 15 Apr 2022 01:20:50 GMT

Thank you all!