topic Re: Catalyst 9800 vWLC ACL in Wireless

Catalyst 9800 vWLC ACL

filip.nikolic — Sat, 04 Mar 2023 10:14:21 GMT

I'm trying to configure an ACL on Catalyst 9800 vWLC GUI but I can't figure out why there isnt'a a 'any' option for ports and protocols in extended ACLs? Default value for protocol field is adp and for source or destination port is None. Will None work instead any and how I can set the protocol to any? Maybe is there a image bug? I'm using 17.6.4 right now

Re: Catalyst 9800 vWLC ACL

Mark Elsen — Sat, 04 Mar 2023 10:55:07 GMT

- A possible way to go forward is to examine the running config after you define an (extended) ACL in the GUI ; (t)(w)hen reviewing the resulting ACL statements in the running config and 'staying' on the CLI you might be able to achieve what you want and or check if you can include option 'any' when defining or completing an ACL through querying command completion with ? (e.g.)

Re: Catalyst 9800 vWLC ACL

Rich R — Sat, 04 Mar 2023 14:43:01 GMT

I must admit I had *never* looked at ACLs in the GUI before now!

But now I have and it looks normal to me. Configuration -> Security -> ACL
There's all the normal options there. I see "ahp" (not adp) at the top of the protocol list. If you're not seeing the full list on the drop-down then that's probably a browser problem. Try different browsers, different version of browser and make sure you're not blocking cookies etc. It sometimes also helps to clear all cookies and history then close and re-start your browser. Personally I'd recommend CLI for ACLs.

Re: Catalyst 9800 vWLC ACL

Karsten Iwen — Sat, 04 Mar 2023 16:09:09 GMT

You need to choose "ip" as the protocol. This implies any ip based protocols and also all ports for udp/tcp:

Re: Catalyst 9800 vWLC ACL

filip.nikolic — Tue, 07 Mar 2023 22:51:18 GMT

Thank you but if I choose ip as a destination protocol how should I block lets say ICMP? Should I create a new ACE just for ICMP?

Re: Catalyst 9800 vWLC ACL

Karsten Iwen — Wed, 08 Mar 2023 05:28:25 GMT

Yes, you need one ACE for everything that you want to allow and deny.

Re: Catalyst 9800 vWLC ACL

Rich R — Wed, 08 Mar 2023 10:31:06 GMT

Yes - it sounds like you need to familiarise yourself with the basics of ACLs:
https://community.cisco.com/t5/networking-knowledge-base/access-control-lists-acl-explained/ta-p/4182349
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_acl/configuration/xe-16-9/sec-data-acl-xe-16-9-book/sec-access-list-ov.html
https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602-confaccesslists.html