04-08-2022 06:33 PM - edited 04-08-2022 06:44 PM
Hi From show run in wlc 9800, I can see there are several ALCs, but looks like these ACL are not used by the WLC. The reason why I say it is because each ACL name show up once for each ACL. These ACL are not associated with something like interface, Is this normal? In cisco router, tACL name has to be show up at lease two times in configuration file. One is to define it, and second is to associate with some interface. Thank you
04-08-2022 07:55 PM - edited 04-08-2022 07:56 PM
Most likely those ACL names are reference as part of dynamic ACL assignment from ISE.
In such case the ACL is not applied to an interface on controller, they are just present on controller and applied to user as part of authorization from your radius server (ISE). So you will see them only once if you did show run.
hope this helps.
04-08-2022 08:49 PM
Thank you for your reply! So sounds like once the ACL is created, it can work. but how can we know the ACL can work really well? Maybe the ACL is written inconnectly. and the ACL name has to associated with something otherwise, WLC how to identify each of all ACLs?
04-08-2022 09:20 PM - edited 04-08-2022 09:23 PM
You have to know what you are accomplishing with the ACL and then evaluate the ACL to ensure the ACL is doing just that and not anything else.
For instance a typically redirect ACL should deny (radius)ISE and DNS and allow anything on port 80 and 443 for redirection, guest ACL should generally block RFC1918. These are some standard examples, but ACL can be anything you want.
you can enable logs on ACL to check if they being hit, you can also check on ISE authentication details what ACL is pushed as part of authorization.
hope this answers your question.
04-11-2022 11:15 AM
Thanks. we can define ACL name based on our needs. but the question is how wlc know the ACL created since there is only one ACL name is created. For normal ACL in router or switch, we create ALC with defined ACL name, and then second ACL name need to be created which is associated with something like router's interface. so that the router know where the ACL can be used. But in WLC, as it has one ACL name as you said, how the WLC know where to use the ACL? unless the ACL name in wlc is special
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide