Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
967
Views
15
Helpful
4
Replies

ACL in catylist 9800

interfacedy
Spotlight
Spotlight

‎04-08-2022 06:33 PM - edited ‎04-08-2022 06:44 PM

Hi From show run in wlc 9800, I can see there are several ALCs, but looks like these ACL are not used by the WLC. The reason why I say it is because each ACL name show up once for each ACL. These ACL are not associated with something like interface, Is this normal? In cisco router, tACL name has to be show up at lease two times in configuration file. One is to define it, and second is to associate with some interface. Thank you

 

 

4 Replies 4

ammahend
VIP
VIP

‎04-08-2022 07:55 PM - edited ‎04-08-2022 07:56 PM

Most likely those ACL names are reference as part of dynamic ACL assignment from ISE.

In such case the ACL is not applied to an interface on controller, they are just present on controller and applied to user as part of authorization from your radius server (ISE). So you will see them only once if you did show run.

 

hope this helps.

-hope this helps-

interfacedy
Spotlight
Spotlight

‎04-08-2022 08:49 PM

Thank you for your reply! So sounds like once the ACL is created, it can work. but how can we know the ACL can work really well? Maybe the ACL is written inconnectly. and the ACL name has to associated with something otherwise, WLC how to identify each of all ACLs? 

0 Helpful

ammahend
VIP
VIP
In response to interfacedy

‎04-08-2022 09:20 PM - edited ‎04-08-2022 09:23 PM

You have to know what you are accomplishing with the ACL and then evaluate the ACL to ensure the ACL is doing just that and not anything else.

For instance a typically redirect ACL should deny (radius)ISE and DNS and allow anything on port 80 and 443 for redirection, guest ACL should generally block RFC1918. These are some standard examples, but ACL can be anything you want.

you can enable logs on ACL to check if they being hit, you can also check on ISE authentication details what ACL is pushed as part of authorization.

 

hope this answers your question.

 

-hope this helps-
0 Helpful

interfacedy
Spotlight
Spotlight

‎04-11-2022 11:15 AM

Thanks. we can define ACL name based on our needs. but the question is how wlc know the ACL created since there is only one ACL name is created. For normal ACL in router or switch, we create ALC with defined ACL name, and then second ACL name need to be created which is associated with something like router's interface. so that the router know where the ACL can be used. But in WLC, as it has one ACL name as you said, how the WLC know where to use the ACL?  unless the ACL name in wlc is special 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card