Re: SDA Wireless Cisco 9800 ACLs

dm2020 · ‎07-16-2021

Hi

Does anyone know if its possible to apply a standard IPv4 ACL to a Cisco 9800 WLAN that's operating in SDA/Fabric mode? If so, how is this achieved?

Thanks

jalejand · ‎07-16-2021

I don't usually see Post-auth / DACL on Fabrics, specially as C9800 DACL support is really limited (Web Redirection ACL works fine)

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvv16183/?rfs=iqvred

SGACLs/ SGT Policies would be more suitable for Fabric/SDA

dm2020 · ‎07-21-2021

Hi @jalejand

Thanks for the response. I agree that SGTs are more suitable in an SDA environment, however we are not quite there yet with our TrustSec implementation so looking at an alternative solution in the meantime to meet our requirement.

To explain - We have a single VN that has full connectivity to our corp servers and the internet which sit outside of the fabric. We are deploying a fabric enabled WLAN for corp users and need to allow users to access a small number of internal servers and the internet and to block everything else. Trying to do this with SGTs is proving a bit tricky at the moment so using a standard IPv4 ACL would be easier at this stage.

I have checked and the following guide suggests that IPv4 ACLs for clients are supported in an SDA deployment (see table 1)

https://www.cisco.com/c/dam/en/us/td/docs/cloud-systems-management/network-automation-and-management/dna-center/deploy-guide/cisco-dna-center-sd-access-wl-dg.pdf

I have been testing this today and manged to get this working using the following procedure.

1) Configure local IPv4 ACL on the 9800 WLC

2) Add the above IPv4 ACL to the 'default-flex-profile' so that its downloaded to the fabric AP

3) Add the above IPv4 ACL to the applicable WLAN policy profile.

This is the same procedure when using flexconnect it seems, however I cant find confirmation if this is correct for a fabric WLAN.