Buy or Renew
Buy or Renew
Register Here! - Join us 11/13 for the "Navigating DHCP Processes in SD-Access Network" Community Live event
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1175
Views
0
Helpful
2
Replies

SDA Wireless Cisco 9800 ACLs

dm2020
Level 1
Level 1

‎07-16-2021 09:20 AM

Hi

 

Does anyone know if its possible to apply a standard IPv4 ACL to a Cisco 9800 WLAN that's operating in SDA/Fabric mode? If so, how is this achieved? 

 

Thanks

Labels:
0 Helpful
2 Replies 2

jalejand
Cisco Employee
Cisco Employee

‎07-16-2021 01:48 PM - edited ‎07-16-2021 01:48 PM

I don't usually see Post-auth / DACL on Fabrics, specially as C9800 DACL support is really limited (Web Redirection ACL works fine)

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvv16183/?rfs=iqvred

SGACLs/ SGT Policies would be more suitable for Fabric/SDA

 

 

 

0 Helpful

dm2020
Level 1
Level 1
In response to jalejand

‎07-21-2021 02:35 PM - edited ‎07-21-2021 02:37 PM

Hi @jalejand 

 

Thanks for the response. I agree that SGTs are more suitable in an SDA environment, however we are not quite there yet with our TrustSec implementation so looking at an alternative solution in the meantime to meet our requirement.

 

To explain - We have a single VN that has full connectivity to our corp servers and the internet which sit outside of the fabric. We are deploying a fabric enabled WLAN for corp users and need to allow users to access a small number of internal servers and the internet and to block everything else. Trying to do this with SGTs is proving a bit tricky at the moment so using a standard IPv4 ACL would be easier at this stage.

 

I have checked and the following guide suggests that IPv4 ACLs for clients are supported in an SDA deployment (see table 1)

 

https://www.cisco.com/c/dam/en/us/td/docs/cloud-systems-management/network-automation-and-management/dna-center/deploy-guide/cisco-dna-center-sd-access-wl-dg.pdf

 

I have been testing this today and manged to get this working using the following procedure.

 

1) Configure local IPv4 ACL on the 9800 WLC

2) Add the above IPv4 ACL to the 'default-flex-profile' so that its downloaded to the fabric AP

3) Add the above IPv4 ACL to the applicable WLAN policy profile.

 

This is the same procedure when using flexconnect it seems, however I cant find confirmation if this is correct for a fabric WLAN.

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card