topic I am curious about the purpose of the ACLs created on the WLC 9800. in Wireless

I am curious about the purpose of the ACLs created on the WLC 9800.

CCC3 — Fri, 14 Apr 2023 01:57:51 GMT

Those ACLs are
ACL on 9800.

not user generated
It appears to have been created by WLC itself.

Could you by any chance know the purpose of each ACL?

-IP-Adm-V4-Int-ACL-global

-implicit_deny

-implicit_permit

-preauth_v4

-meraki-fqdn-dns

Re: I am curious about the purpose of the ACLs created on the WLC 9800

Scott Fella — Fri, 14 Apr 2023 02:58:30 GMT

I think what would be better is to review of IOS acl's in general. These are just default, you can use as a template or even add to them if you want. They are not applied unless you apply them. Just look and research understanding/configuration IOS acl's to just get a basic idea of how to create one and apply one. Then its easier to look at what you have, not just on the 9800 and understand what the all is doing.

Re: I am curious about the purpose of the ACLs created on the WLC 9800

Rich R — Fri, 14 Apr 2023 15:34:02 GMT

There are some ACLs which are autoconfigured when you use webauth and their contents are based on the webauth config you provide - and those can't be changed manually, or if you do IOS will overwrite your changes. For example:
IP-Adm-V4-Int-ACL-global
IP-Adm-V4-LOGOUT-ACL
WA-sec-<redirect portal IP>
WA-v4-int-<redirect portal IP>
Most of the names are self-explanatory.

meraki-fqdn-dns doesn't seem to have any content (ACEs) by default so I'd guess that it will only be populated if you do something that requires it, like migrating CW APs to the Meraki dashboard.

Re: I am curious about the purpose of the ACLs created on the WLC 9800

CCC3 — Mon, 17 Apr 2023 06:15:28 GMT

thanks.

Do you know what implicit_deny/permit is for?

Re: I am curious about the purpose of the ACLs created on the WLC 9800

Rich R — Mon, 17 Apr 2023 08:08:14 GMT

Presume you mean what are they used for - no idea - could be anything - but the names are paradoxical because they are both explicit rather than implicit LOL
9800#sh ip access-lists implicit_deny
Extended IP access list implicit_deny
10 deny ip any any
9800#sh ip access-lists implicit_permit
Extended IP access list implicit_permit
10 permit ip any any

More accurate names would have been permit_all and deny_all but who are we to question the wisdom of the devs...