Hi Arshad

Thanks for the reply...

Im adding in the ACL on the 9120 EWC controller and then adding it into the policy for each WLAN.

more info is below - i was trying to use the EWC for this as per the ACL in the documents..

if i have to add this to the 9330 L3 switch what is the ACL on the EWC used for ?

!
ip access-list extended Corp_ACL
1 deny ip 172.30.0.0 0.0.255.255 192.168.50.0 0.0.0.255
2 deny ip 192.168.50.0 0.0.0.255 172.30.0.0 0.0.255.255
3 permit ip 172.30.0.0 0.0.255.255 any
4 deny ip any any

ip access-list extended Guest_ACL
1 deny ip 192.168.50.0 0.0.0.255 172.30.0.0 0.0.255.255
2 deny ip 172.30.0.0 0.0.255.255 192.168.50.0 0.0.0.255
3 permit ip 192.168.50.0 0.0.0.255 172.30.2.1 0.0.0.255
4 deny ip any any

192.168.50.0/24 - Guest_ACL
172.23.50.0/24 - Corp_ACL
172.30.2.1 - DHCP Server on LAN side

error message we get when ACL is on EWC -

The controller says %SESSION_MGR-5-FAIL: Chassis 1 R0/0: wncd: Authorization failed or unapplied for client (d6a9.97ef.661a) on Interface capwap_90000004 AuditSessionID 000000000000004B10D203AA. Failure Reason: ACL Failure.

Did you add the ACL to the Flex-Profile? This is needed to get the ACL "pushed" to the AP where the filtering is applied.

Hi Karsten

I did try adding into the Flex profiel i setup with the vlan L2 Corp /Guest and the ACL with it.

for both  Corp and Guest i did - Flex-profiel - vlan- vlan name- vlan id - ACL name

Do you not need to add the ACL to the poilcy profile at all then ? i was working from the document

I will try again tomomrrow and see what logs i get back..

There are multiple options available, WLC also gives you the flexibility do ACL's. Where to do the filtering completely depends on your design and operational requirements, in my opinion if you are to filter packets at WLC or AP level I see that as complicating the network, I feel it is more cleaner when you do this at upstream level as this will take the unnecessary burden from the WLC or AP's. But the new WLC's and AP's are capable enough to handle moderate task. (I do not have impact analysis of enabling ACL's in WLC or AP, just my opinion)

My ACL would look like below. 

For Guest

ip access-list extended Guest_Block
permit udp 192.168.50.0 0.0.0.255 host 172.30.2.1
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.0.0.0 0.0.15.255
deny ip any 192.0.0.0 0.0.255.255
permit ip 192.168.50.0 0.0.0.255 any

It is very important to note that when applying Flex ACL's you have to select the correct direction. Ingress means traffic directed towards the client and egress means traffic towards the LAN.

Hi Arshad

Still not workig even if i add in a deny all IP ACL to the flex account vlan 50 (guest) all traffic still allowed...

its like its not even seeing the ACL on the WLAN..

Did you apply ingress or egress in Flex profile?

Hi Arshad

I tried both ways still the same...

why is there a WLAN ACL in policy profile for Guest as i can add in the acl there aswell but when i do that the users gets incorrect password ?

im using the below Cisco doc for ref but nothing in there about separating Guest from Corp users..

https://www.cisco.com/c/en/us/products/collateral/wireless/embedded-wireless-controller-catalyst-access-points/white-paper-c11-743398.html

When you SSH into your AP (not EWC), do you see your ACLs with a "show access-list"?

Hi Karsten

I will try this tomorrow and let you know

Thanks for the suggestion..

Hi All

Still no joy with this see below looks like the AP isnt getting any info from the EWC ?

AP# sh flexconnect vlan-acl

  <cr>

AP# sh flexconnect vlan-acl

Flexconnect VLAN-ACL mapping-- ingress vlan

ACL disabled on ingress vlan

No configured vlans

Flexconnect VLAN-ACL mapping-- egress vlan

ACL disabled on egress vlan

No configured vlans

At this point best option is to reach out to TAC. But I would still consider implementing the same ACL in upstream Layer3 device as all the EWC related deployments are Flex AP's.