Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7196
Views
17
Helpful
8
Replies

Catalyst 9800 - WLAN IPv4 ACL for AP in FLEX mode

Go to solution
Martin Jelinek
Level 1
Level 1

‎03-29-2021 05:30 AM - edited ‎07-05-2021 01:03 PM

Hi all,

 

Does anyone know how Catalyst 9800 configuration model approaches ACL settings in terms of IPv4 ACL assigned to WLAN which is used by AP in flexconnect mode to filter traffic with local switching in place?

 

An example is that WLAN is configured to be locally switched, and therefore clients connecting to such WLAN are controlled what such clients can basically connect to based on defined ACL which is used by an AP.

 

In AireOS (WLCs) it was being done with flexconnect ACL, which was basically mapped with VLAN (VLAN-ACL mapping).

 

In world of 9800 is this being done by:

- Flex profile > VLAN tab > where ACL Name is applied to???

or

- Policy profile > Access Policies tab > WLAN ACL - IPv4 ACL ???

 

ACL needs to operate on AP level for a certain broadcasted WLAN, so clients are able to join/associate but just specific resources are allowed for them as per defined ACL.

The AP needs to run in FLEX mode, as it broadcast multiple WLANs (centrally & locally switched) but just one of such locally switched network should be restricted by an ACL.

 

Thanks for any hint/recommendation.

Martin

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Martin Jelinek
Level 1
Level 1
In response to Martin Jelinek

‎04-19-2021 12:46 AM

Finally, I have a solution and a bit more explanation on where/how IPv4 ACL behaves.

 

  1. ACL for centrally switched WLANs:
    • Policy profile > "Access Policy" tab > "WLAN ACL" section > "IPv4 ACL" --> it's applied only in case of centrally switched WLANs! therefore such ACL is NOT pushed down to the AP, but stays on WLC and is applied to all clients connected to centrally switched WLANs.
    • Here I tend to believe that with use of centrally switched WLANs it's a bit easier to place WLC leg into a segment protected by some firewall so you have a better ACL management capabilities. Of course in case of have such option in your case.
  2. ACL for locally switched WLANs: - traffic filtered by an AP
    • Flex profile - for ACL to be used on locally switched WLAN and therefore pushed from WLC to AP level you have to define it within Flex profile as follow:
      • "Policy ACL" tab - here you have to define which ACL should be pushed down to the AP. So just select ACL name (rest keep empty/default/unchecked)
      • "VLAN" tab - here you have to do mapping of pushed ACL in previous tab to the VLAN name + VLAN ID + ACL name to be applied.

Well and it just works It might be quite misleading as there is no good documentation about it, but this you can take as a kind of summary if needed. 

 

Please don't take this as full documentation, it is a summary. Cisco should be updating their 9800 documentation with a bit more insight into ACLs and it's purpose/usage.

 

Cheers

View solution in original post

8 Replies 8

Go to solution
Rich R
VIP
VIP

‎03-29-2021 06:29 AM - edited ‎03-29-2021 06:31 AM

In theory the answer should be in https://www.cisco.com/c/en/us/td/docs/wireless/access_point/feature-matrix/ap-feature-matrix.html#_Toc64463738 but I'm not sure which feature applies - possibly VLAN ACL?

 

You may have to do some testing yourself because that's the only way to be sure as many things that *should* work on 9800 still don't and are not always very well documented.

 

What we found for a centrally switched WLAN (on an AP in flex mode because we also have locally switched WLANs) is that ACL applied to SVI on the WLC does not work (wacky behaviour with some traffic blocked and some not), but ACL applied in the WLAN policy does work (your 2nd option).  TAC are still investigating whether that's "by design" or not (they're waiting for lab setup to repro what we've seen before taking it to BU).  We haven't tested ACL on locally switched WLAN though.

 

Interested to hear what you find in your testing...

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390
0 Helpful

Go to solution
Martin Jelinek
Level 1
Level 1
In response to Rich R

‎03-29-2021 10:08 PM

Thanks. I'm planning to test it for sure, and hopefully will be able to do so today. Just thought someone already have such experience.

 

With centrally switched WLANs it's somehow easier because you can place C9800 interface behind some firewall (well if available in your setup of course). 

 

Will try to provide results from my testing.

 

From what I've heard on one webinars by Cisco (and hopefully well understood) is that 1st option should be used in case we use dynamic VLAN assignments with Radius. So second option might make sense...but need to test.

0 Helpful

Go to solution
Martin Jelinek
Level 1
Level 1
In response to Martin Jelinek

‎03-29-2021 11:43 PM

Just tried to use "Policy profile > Access Policies tab > WLAN ACL - IPv4 ACL" however this doesn't work as my intention is. Once ACL applied it basically filters even clients who would like to join this WLAN. So my client wasn't able to even connect to WLAN. Once ACL removed, client was able to connect easily.

 

Therefore this option doesn't provide what I need. 

 

Need to search a bit more, test or shoot TAC case for help. I'm running the 17.3.3 where I believe such feature should be available...

Go to solution
Rich R
VIP
VIP
In response to Martin Jelinek

‎04-07-2021 03:21 AM

TAC just came back to us and said:

This is happening because 9800 is based on ASR architecture and routers are only applying ACLs attached on SVI when packet is routed between interfaces. Since WLC is not doing any form of routing those ACLs are transparent for WLAN traffic and have no effect. Hence,

  • Use ACL under policy profile for client policy enforcement
  • Use ACL under SVI if you want to limit MGMT traffic to the box

They agree this is not well documented for 9800 so have raised an internal documentation bug to get the ACL support & limitations properly documented for 9800.  Hopefully that will include for flex cases.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390
0 Helpful

Go to solution
Martin Jelinek
Level 1
Level 1
In response to Rich R

‎04-07-2021 10:57 PM

Thanks for sharing.

I've been also attending webinars which are ongoing and also Cisco accepted in Q&A that ACL topic is a bit missing from documentation perspective.

 

Even above would mean that ACL applied in Policy profile should work but wasn't my case as it depend at what step exactly ACL is enforced by AP. I kind of believe need to do a bit more testing if e.g. DHCP packets were not dropped and therefore it seemed that client wasn't able to connect. 

 

Will post update once I'm done with testing.

Thanks

Go to solution
Martin Jelinek
Level 1
Level 1
In response to Martin Jelinek

‎04-19-2021 12:46 AM

Finally, I have a solution and a bit more explanation on where/how IPv4 ACL behaves.

 

  1. ACL for centrally switched WLANs:
    • Policy profile > "Access Policy" tab > "WLAN ACL" section > "IPv4 ACL" --> it's applied only in case of centrally switched WLANs! therefore such ACL is NOT pushed down to the AP, but stays on WLC and is applied to all clients connected to centrally switched WLANs.
    • Here I tend to believe that with use of centrally switched WLANs it's a bit easier to place WLC leg into a segment protected by some firewall so you have a better ACL management capabilities. Of course in case of have such option in your case.
  2. ACL for locally switched WLANs: - traffic filtered by an AP
    • Flex profile - for ACL to be used on locally switched WLAN and therefore pushed from WLC to AP level you have to define it within Flex profile as follow:
      • "Policy ACL" tab - here you have to define which ACL should be pushed down to the AP. So just select ACL name (rest keep empty/default/unchecked)
      • "VLAN" tab - here you have to do mapping of pushed ACL in previous tab to the VLAN name + VLAN ID + ACL name to be applied.

Well and it just works It might be quite misleading as there is no good documentation about it, but this you can take as a kind of summary if needed. 

 

Please don't take this as full documentation, it is a summary. Cisco should be updating their 9800 documentation with a bit more insight into ACLs and it's purpose/usage.

 

Cheers

Go to solution
Rich R
VIP
VIP
In response to Martin Jelinek

‎04-19-2021 02:40 AM

Thanks Martin

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390
0 Helpful

Go to solution
Najib Akbari
Level 1
Level 1

‎09-12-2024 12:38 PM

few years after this post, seems still same scenario. I pasted my new post here so you guys might have some input:

summary based on TAC: on C9800 Flex mode local switching to overcome the limitation of "P2P Blocking Action - > Drop" via SSID, use ACL and apply to Flex profile "Policy ACL" and "VLAN" Tab... basically enable both Dp2P Drop and ACL but this is not scable and can not have communication exemption!

https://community.cisco.com/t5/wireless/p2p-blocking-with-acl/m-p/5192879#M275417

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card