Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
712
Views
40
Helpful
7
Replies

Are these ACLs are being used in WLC?

Go to solution
Leftz
Level 4
Level 4

‎05-02-2022 12:33 PM - edited ‎05-02-2022 12:34 PM

Hi, We are not sure if the below ACLs are being used. The reason why I say it is because I although we created ACLs, we did not enable it. However we can see a lot hit number under Security ----> Access Control Lists -----> right column. Are these ACLs are being used? Thanks

 

 

(Cisco Controller) >show acl summary

ACL Counter Status              Disabled

----------------------------------------

IPv4 ACL Name                    Applied

-------------------------------- -------

INTERNET-ONLY                    Yes   

CWA_REDIRECT                     Yes   

 

----------------------------------------

IPv6 ACL Name                    Applied

-------------------------------- -------

Labels:
0 Helpful
4 Accepted Solutions

Accepted Solutions

Go to solution
Flavio Miranda
VIP
VIP

‎05-02-2022 12:49 PM

Run the command "show wlan XX detailed"

Go to "WLAN IPv4 ACL....................................

If the ACL name is there, then yes. If you find unconfigured, then, no.

View solution in original post

Go to solution
ammahend
VIP
VIP

‎05-02-2022 12:50 PM - edited ‎05-02-2022 12:50 PM

Yes these acl are being used, your ise (radius server) pushes these acl names as part of authorization and the acl itself need to be defined on WLC to be applied to clients. 

-hope this helps-

View solution in original post

Go to solution
Flavio Miranda
VIP
VIP

‎05-02-2022 01:27 PM - edited ‎05-02-2022 01:27 PM

Is not name, is wlan id....it is the number under WLAN ID

run 'show wlan summary" then use the number.

WLC ACL is always applied to WLAN, dont matter if it is user to guest (ISE) or differents reason.  And you have CPU ACL which is applied to the WLC itself.

 

View solution in original post

Go to solution
Flavio Miranda
VIP
VIP

‎05-02-2022 02:10 PM

Create the ACL and add permit statements:

 

config acl apply acl_name

permit udp any any eq 12124

permit udp any any eq  12124
 permit udp any any eq 12125

permit udp any any eq  12125

permit udp any any eq 12134

permit udp any any eq  12134

permit udp any any eq 12135

permit udp any any eq  12135

"add denis here"

 

Apply the ACL to the CPU

config acl cpu acl_name both

View solution in original post

7 Replies 7

Go to solution
Flavio Miranda
VIP
VIP

‎05-02-2022 12:49 PM

Run the command "show wlan XX detailed"

Go to "WLAN IPv4 ACL....................................

If the ACL name is there, then yes. If you find unconfigured, then, no.

Go to solution
ammahend
VIP
VIP

‎05-02-2022 12:50 PM - edited ‎05-02-2022 12:50 PM

Yes these acl are being used, your ise (radius server) pushes these acl names as part of authorization and the acl itself need to be defined on WLC to be applied to clients. 

-hope this helps-

Go to solution
Leftz
Level 4
Level 4

‎05-02-2022 01:17 PM - edited ‎05-02-2022 01:19 PM

Thank you very much for your reply@

@ammahend I think you are right. but this case might be that ACLs are being used by something like ise etc, but not being used by dynamic interface or CPU. Do you agree with this? 

@Flavio Miranda The command  "show wlan (wlan name) detailed" you mentioned cannot be entered

0 Helpful

Go to solution
Flavio Miranda
VIP
VIP

‎05-02-2022 01:27 PM - edited ‎05-02-2022 01:27 PM

Is not name, is wlan id....it is the number under WLAN ID

run 'show wlan summary" then use the number.

WLC ACL is always applied to WLAN, dont matter if it is user to guest (ISE) or differents reason.  And you have CPU ACL which is applied to the WLC itself.

 

Go to solution
Leftz
Level 4
Level 4

‎05-02-2022 01:47 PM - edited ‎05-02-2022 01:56 PM

You are right. but this case is version 8.5 without "detail" in the command that you mentioned. It works like below:

(Cisco Controller) >show wlan 1 ?

 

(Cisco Controller) >show wlan 1

 

I found a good documents of cisco talking about CPU acl config as below, but it does not have example to create the ACL. also I searched a lot in cisco, but I still cannot find the example. I am afraid it might lose some connection to AP or something if something wrong. Can you briefly show an config example? Thank you very much. 

 

Applying an Access Control List to the Controller CPU (GUI)

Before you begin

Before you apply ACL rules, ensure that you have explicitly set the following RRM ports to allow in the CPU ACL:

  • 12124-12125

  • 12134-12135

Also ensure that you add these ACL rules specifically at the top of the ACL list.

If you do not set these RRM ports to allow, the ports are blocked by default.

 

Procedure
Step 1
Choose Security > Access Control Lists > CPU Access Control Lists to open the CPU Access Control Lists page.

Step 2
Select the Enable CPU ACL check box to enable a designated ACL to control the IPv4 traffic to the controller CPU or unselect the check box to disable the CPU ACL feature and remove any ACL that had been applied to the CPU. The default value is unselected.

Step 3

 

0 Helpful

Go to solution
Flavio Miranda
VIP
VIP

‎05-02-2022 02:10 PM

Create the ACL and add permit statements:

 

config acl apply acl_name

permit udp any any eq 12124

permit udp any any eq  12124
 permit udp any any eq 12125

permit udp any any eq  12125

permit udp any any eq 12134

permit udp any any eq  12134

permit udp any any eq 12135

permit udp any any eq  12135

"add denis here"

 

Apply the ACL to the CPU

config acl cpu acl_name both

Go to solution
Leftz
Level 4
Level 4

‎05-04-2022 07:44 AM - edited ‎05-04-2022 07:46 AM

Great! Now I understand. Thank you very much!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card