Solved: Configuring ACL at wlc

interfacedy · ‎04-05-2022

What is purpose of ALC configured at wlc? The purpose is for security via blocking unusful traffice. so There are three kinds of ACL for it. first is to allow dhcp, and second is to allow dns traffice and third is to allow icmp. and then block all of others. Is this correct understanding for ACL function at WLC? Thank you

Flavio Miranda · ‎04-06-2022

You are not wrong but this understanding is too simple. WLC have different flavors of ACL. For example, if you want to block connection to the box, you need to use CPU ACL. But, if you want block or permit traffic for Guest clients, which is very important, you need to create and standard ACL. And you also have Fleconnect ALC and Layer 2 ACL.

You can apply ACL on the WLAN specifically or to all clients.

View solution in original post

MHM Cisco World · ‎04-07-2022

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html

View solution in original post

Flavio Miranda · ‎04-13-2022

That´s correct. The ACL name must match. And you need to select NAC State on the Advanced tal of the Guest WLAN.

View solution in original post

balaji.bandi · ‎04-06-2022

Depends on the use case what ACL you like to use :

Good reference :

https://mrncciew.com/2013/03/15/wlc-access-control-list-acl/#:~:text=Direction%20%3A%20There%20are%203%20directions,either%20inbound%20or%20any%20direction.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Flavio Miranda · ‎04-06-2022

You are not wrong but this understanding is too simple. WLC have different flavors of ACL. For example, if you want to block connection to the box, you need to use CPU ACL. But, if you want block or permit traffic for Guest clients, which is very important, you need to create and standard ACL. And you also have Fleconnect ALC and Layer 2 ACL.

You can apply ACL on the WLAN specifically or to all clients.

ammahend · ‎04-06-2022

ACL on WLC is similar to ACL on any network device, it helps you block what you don’t want to pass through WLC, and allow what traffic you want to pass through WLC, the three you mentioned are not types of ACL but can be rules in a single ACL, most ACLs are layer3 so the before the traffic can be allowed or denied client needs atleast an IP, so dhcp is mostly allowed so client can get IP, so is DNS to resolve FQDN to IP and ICMP to test network connectivity etc.
Go through the link that’s shared by other members for more details.

-hope this helps-

MHM Cisco World · ‎04-06-2022

this ACL is for Web-auth, allow the client get IP and resolve by DNS and deny every other traffic UNTIL the client is auth from Server after that the Permit any any will add automatically to you ACL.

Leftz · ‎04-07-2022

Thank you all for your reply!

@MHM Cisco World ACL is for Web-auth. I cannot find the relation in several documents. Our WLC ios version is 8.10-. What is latest Cisco document talking about the relation. The ios 8.10- release document does not talk about the relation

MHM Cisco World · ‎04-07-2022

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html

Flavio Miranda · ‎04-07-2022

You need to know what kind of Web-auth you are going to use. If Local or Central. If Local, internal or external Portal.

Central Web auth is better but you need to have ISE.

The Access List for Web auth is pretty simple.

Leftz · ‎04-13-2022

I think document mentioned by MHM has explanation. My understanding is we configure acl at wlc, then ise use it via acl name defined at wlc, right?

Flavio Miranda · ‎04-13-2022

That´s correct. The ACL name must match. And you need to select NAC State on the Advanced tal of the Guest WLAN.

interfacedy · ‎04-14-2022

Thank you all!