11-13-2017 06:56 AM
How are large organizations dealing with the 64 ACL and 64 ACE limit on the WLC's? We are deploying ISE and we are early into our deployment and already had an instance where we hit the 64 ACE limit. It is easy to hit this limit, in my opinion, when you're dealing with Active Directory traffic and other 'chatty' type services.
One way around this I've found is to not restrict by port, but to just allow all TCP traffic to the destination IP, but that isn't as secure. That doesn't bother me too much, but I'm still concerned about the scale.
Anyone have any input? Since the WLC's don't support dACL, I'm really starting to wonder how we scale.
Thanks,
-Steve
Solved! Go to Solution.
11-13-2017 07:04 AM
Would recommend deploying TrustSec scalable group tags.
11-13-2017 07:04 AM
Would recommend deploying TrustSec scalable group tags.
11-13-2017 07:07 AM
Thanks for the quick response. Can we do TrustSec scalable group tags only on the WLC's without having to do TrustSec on the rest of the network?
11-13-2017 07:28 AM
It needs some network devices (e.g. ASA) between the endpoints and the servers to perform the enforcement.
11-13-2017 07:30 AM
I would recommend learning more about Trustsec, classification happens on the WLC but enforcement would happen at other points (data center)
https://www.youtube.com/watch?v=78-GV7Pz18I
You can certainly start with wireless only but the benefits would also be available on the wired side.
11-13-2017 03:00 PM
I am curious about your wireless policies that have so many ACLs. What are you trying to accomplish with your wireless setup?
11-14-2017 05:56 AM
We're trying to lock down a small group of Windows 10 Surface Pro's down to only what it needs to communicate with on the network, inside and out. Which means locking down to Meraki, our internal servers necessary for the software on the Surfaces, basic network services, and the real killer is making sure the Surface's can communicate with our domain controllers and vice versa. We have 20 domain controllers that these devices could be possibly communicating with at any given point in time. So 20 inbound rules, 20 outbound rules, not locking down to ports, that's 40 rules just to ensure proper domain configuration. cfnisupport
11-14-2017 06:35 AM
We are in healthcare, so we have a ton of devices. Think IVPumps, mobile x-rays, tablets providers use, tablets patients touch, mobile glucose test machines which upload their devices. Heck, even our emergency lights and our wall clocks are all on WiFi. As you can imagine, we can quickly blow past 64x64.
My favorite part about the video Jason posted? Just after a minute in, it states there is nothing to 'bolt on'. But that's not true. We need to bolt on an ASA!
11-14-2017 06:39 AM
Yes at the enforcement point you have to bolt on a device capable of enforcement based off the SGT.
I recommend reaching out to trustsec community about anything further about trustsec, I understand a meeting is being setup. Please work with them further
11-15-2017 11:26 AM
Spent some time with the guys tonight on a webex.
Went through wireless operation with TrustSec and how it could dramatically help with TCAM limits on WLCs.
Available to help further if needed.
Regards, Jonothan.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide