Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1996
Views
4
Helpful
12
Replies

Catalyst 9800/ISE - ACL

Luna99923
Level 1
Level 1

‎01-19-2025 07:07 PM

Hello,

I have a Catalyst 9800-80 running version 17.9.6 and Cisco ISE 3.1. I want to configure wireless clients connected to an SSID using iPSK/MAB to dynamically change their VLAN and reference an ACL that resides on the 9800.

I understand that dACL support is only available starting with version 17.10, so I cannot use that feature at this time. While I have successfully configured the dynamic VLAN functionality using an authorization profile, I would like guidance on how to handle the ACL configuration under these constraints.

Thank you for your assistance!

0 Helpful
12 Replies 12

ammahend
VIP Alumni
VIP Alumni

‎01-19-2025 07:44 PM

you can configure dACL, the aproach is different before and after 17.10

In Cisco IOS-XE 17.8 and earlier releases, you had to configure the name in Cisco ISE and define the ACL individually in each of the controllers, so when you configure ISE, just push ACL name and define your ACLs locally on controller.

In newer version you can push entire ACL on WLC instead of just name, no need to define ACL entries locally on controller

 

 

-hope this helps-

bakaholic39
Level 1
Level 1
In response to ammahend

‎07-22-2025 11:49 PM

In order to use an ACL name, in the ISE authorization profile, should I select Airespace ACL Name or use a specific AV pair? Additionally, on the WLC, is there any mandatory configuration apart from creating an ACL with the same name as defined in ISE?

0 Helpful

ammahend
VIP Alumni
VIP Alumni
In response to bakaholic39

‎07-23-2025 09:44 PM

use Airespace ACL Name under common tasks

on 9800 make sure ACL name is exactly same as defined on ISE (case sensitive) that's all. 

-hope this helps-

bakaholic39
Level 1
Level 1
In response to ammahend

‎07-23-2025 10:13 PM

Thanks for replying, do you have any insights on SD-Access wireless? Can this method be used to enforce ACLs for clients in an SD-Access Wireless environment?

0 Helpful

ammahend
VIP Alumni
VIP Alumni
In response to bakaholic39

‎07-24-2025 08:55 PM

in SDA the access control is typically based on SGTs where you assign SGT values to source and destination based on IP, VLAN, ports etc and create matrix to allow or deny access between them. Are you using SDA or traditional wireless ? 

-hope this helps-
0 Helpful

bakaholic39
Level 1
Level 1
In response to ammahend

‎07-24-2025 09:57 PM

I have both, and I’m wondering, rather than configuring complex SGTs or SGACLs, can traditional way like Airespace ACL Name still work with SDA wireless.

0 Helpful

ammahend
VIP Alumni
VIP Alumni
In response to bakaholic39

‎07-26-2025 08:26 PM

it does not align with architectural principles and benefits of SDA's group-based policy and automation capabilities, but it will work. 

-hope this helps-
0 Helpful

MHM Cisco World
VIP
VIP

‎01-19-2025 08:58 PM

It rare to push both dynamic vlan and dacl.

If you config ise to push dynamic vlan then use ACL in wlan to control traffic no need to push it from ISE. 

The dacl is mainly used for redirect traffic of cwa. 

MHM

0 Helpful

Luna99923
Level 1
Level 1

‎01-21-2025 06:57 AM

Thank you.

Does anyone know if the following still applies to 9800 WLCs?  I pulled the following from: https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/71978-acl-wlc.html

Considerations When ACLs are Configured in WLCs

ALCs in WLCs work differently than in routers. These are a few things to remember when you configure ACLs in WLCs:

  • The most common mistake is to select IP when you intend to deny or allow IP packets. Because you select what is inside the IP packet, you deny or allow IP-in-IP packets.

  • Controller ACLs cannot block WLC virtual IP address, and hence DHCP packets for wireless clients.

  • Controller ACLs cannot block multicast traffic received from wired networks that is destined to wireless clients. Controller ACLs are processed for multicast traffic initiated from wireless clients, destined to wired networks or other wireless clients on the same controller.

  • Unlike a router, the ACL controls traffic in both directions when applied to an interface, but it does not perform stateful firewalling. If you forget to open a hole in the ACL for return traffic, this causes a problem.

  • Controller ACLs only block IP packets. You cannot block Layer 2 ACLs or Layer 3 packets that are not IP.

  • Controller ACLs do not use inverse masks like the routers. Here, 255 means match that octet of the IP address exactly.

  • ACLs on the controller are done in software and impact forwarding performance.

0 Helpful

Rich R
VIP
VIP
In response to Luna99923

‎01-21-2025 07:55 AM

That's a very old document for AireOS so I'd not assume any of it necessarily still applies to 9800.

See the config guide https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-12/config-guide/b_wl_17_12_cg/m_conf_ipv4_acl_ewlc.html which discusses how they apply on 9800.

For dACLs also see https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/221941-configure-troubleshoot-downloadable-ac.html

 

------------------------------
Please click Helpful if this post helped you and Accept as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390
0 Helpful

MHM Cisco World
VIP
VIP
In response to Luna99923

‎01-21-2025 08:23 AM

Again why you looking for dACL and dynamic VLAN in same ssid? What is your requirements??

MHM

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card