- Cisco Community
- Technology and Support
- Wireless - Mobility
- Wireless
- Re: Does the 9800 config converter (from AirOS) convert the ACLs prope
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Does the 9800 config converter (from AirOS) convert the ACLs properly
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-09-2023 07:39 AM
We have a dozen or so ACLs in our AirOS controllers, and I'm making new configs for the 9800 refresh. I am using the conversion tool as a starting point. Meaning, I am not using the conversion tool and taking the output and blindly copying it into the 9800s.
I noticed that each one of the ACLs that has been converted has "1 permit ip any any" as the first rule. Almost as if the config converter doesn't want to create any ACL issues, so it permits everything on the first line.
Here are just two examples of the ACLs that are in the controllers. First if the AirOS, then the converted. The converted ACL starts out with permit ip any any as the first rule in every ACL that was converted.
I thought I read somewhere, or maybe watched a youtube video of that might have stated the converter puts this statement in there, however now I cannot find where I thought or read that.
Has anyone else seen this?
Thanks in advance!
<===This is the old AirOS ACL from the legacy WLAN controller===>
config acl rule add ACL-4676297 1
config acl rule source port range ACL-4676297 1 0 65535
config acl rule direction ACL-4676297 1 out
config acl rule destination port range ACL-4676297 1 0 65535
config acl rule action ACL-4676297 1 permit
config acl rule add ACL-4676297 2
config acl rule source port range ACL-4676297 2 0 65535
config acl rule protocol ACL-4676297 2 17
config acl rule direction ACL-4676297 2 in
config acl rule destination port range ACL-4676297 2 53 53
config acl rule action ACL-4676297 2 permit
config acl rule add ACL-4676297 3
config acl rule source port range ACL-4676297 3 0 65535
config acl rule protocol ACL-4676297 3 6
config acl rule direction ACL-4676297 3 in
config acl rule destination port range ACL-4676297 3 443 443
config acl rule destination address ACL-4676297 3 10.156.204.198 255.255.255.255
config acl rule action ACL-4676297 3 permit
config acl rule add ACL-4676297 4
config acl rule source port range ACL-4676297 4 0 65535
config acl rule protocol ACL-4676297 4 6
config acl rule destination port range ACL-4676297 4 443 443
config acl rule destination address ACL-4676297 4 10.160.42.178 255.255.255.255
config acl rule action ACL-4676297 4 permit
config acl rule add ACL-4676297 5
config acl rule source port range ACL-4676297 5 0 65535
config acl rule protocol ACL-4676297 5 6
config acl rule destination port range ACL-4676297 5 443 443
config acl rule destination address ACL-4676297 5 10.160.24.117 255.255.255.255
config acl rule action ACL-4676297 5 permit
config acl rule add ACL-4676297 6
config acl rule source port range ACL-4676297 6 0 65535
config acl rule protocol ACL-4676297 6 6
config acl rule destination port range ACL-4676297 6 443 443
config acl rule destination address ACL-4676297 6 10.160.28.109 255.255.255.255
config acl rule action ACL-4676297 6 permit
config acl rule add ACL-4676297 7
config acl rule source port range ACL-4676297 7 0 65535
config acl rule protocol ACL-4676297 7 6
config acl rule destination port range ACL-4676297 7 443 443
config acl rule destination address ACL-4676297 7 10.160.28.126 255.255.255.255
config acl rule action ACL-4676297 7 permit
config acl rule add ACL-4676297 8
config acl rule source port range ACL-4676297 8 0 65535
config acl rule protocol ACL-4676297 8 6
config acl rule direction ACL-4676297 8 in
config acl rule destination port range ACL-4676297 8 443 443
config acl rule destination address ACL-4676297 8 10.164.38.152 255.255.255.255
config acl rule action ACL-4676297 8 permit
config acl rule add ACL-4676297 9
config acl rule source port range ACL-4676297 9 0 65535
config acl rule protocol ACL-4676297 9 6
config acl rule direction ACL-4676297 9 in
config acl rule destination port range ACL-4676297 9 443 443
config acl rule destination address ACL-4676297 9 10.164.38.153 255.255.255.255
config acl rule action ACL-4676297 9 permit
config acl rule add ACL-4676297 10
config acl rule source port range ACL-4676297 10 0 65535
config acl rule protocol ACL-4676297 10 6
config acl rule direction ACL-4676297 10 in
config acl rule destination port range ACL-4676297 10 443 443
config acl rule destination address ACL-4676297 10 10.164.20.24 255.255.255.255
config acl rule action ACL-4676297 10 permit
config acl rule add ACL-4676297 11
config acl rule source port range ACL-4676297 11 0 65535
config acl rule protocol ACL-4676297 11 6
config acl rule direction ACL-4676297 11 in
config acl rule destination port range ACL-4676297 11 443 443
config acl rule destination address ACL-4676297 11 10.164.20.26 255.255.255.255
config acl rule action ACL-4676297 11 permit
config acl rule add ACL-4676297 12
config acl rule source port range ACL-4676297 12 0 65535
config acl rule protocol ACL-4676297 12 6
config acl rule direction ACL-4676297 12 in
config acl rule destination port range ACL-4676297 12 443 443
config acl rule destination address ACL-4676297 12 10.156.57.80 255.255.255.255
config acl rule action ACL-4676297 12 permit
config acl rule add ACL-4676297 13
config acl rule source port range ACL-4676297 13 0 65535
config acl rule protocol ACL-4676297 13 6
config acl rule direction ACL-4676297 13 in
config acl rule destination port range ACL-4676297 13 443 443
config acl rule destination address ACL-4676297 13 10.160.39.31 255.255.255.255
config acl rule action ACL-4676297 13 permit
config acl rule add ACL-4676297 14
config acl rule source port range ACL-4676297 14 0 65535
config acl rule protocol ACL-4676297 14 6
config acl rule direction ACL-4676297 14 in
config acl rule destination port range ACL-4676297 14 443 443
config acl rule destination address ACL-4676297 14 10.160.39.32 255.255.255.255
config acl rule action ACL-4676297 14 permit
config acl rule add ACL-4676297 15
config acl rule source port range ACL-4676297 15 0 65535
config acl rule protocol ACL-4676297 15 6
config acl rule direction ACL-4676297 15 in
config acl rule destination port range ACL-4676297 15 443 443
config acl rule destination address ACL-4676297 15 10.156.164.153 255.255.255.255
config acl rule action ACL-4676297 15 permit
config acl rule add ACL-4676297 16
config acl rule source port range ACL-4676297 16 0 65535
config acl rule protocol ACL-4676297 16 6
config acl rule direction ACL-4676297 16 in
config acl rule destination port range ACL-4676297 16 443 443
config acl rule destination address ACL-4676297 16 10.156.164.157 255.255.255.255
config acl rule action ACL-4676297 16 permit
config acl rule add ACL-4676297 17
config acl rule source port range ACL-4676297 17 0 65535
config acl rule protocol ACL-4676297 17 6
config acl rule direction ACL-4676297 17 in
config acl rule destination port range ACL-4676297 17 443 443
config acl rule destination address ACL-4676297 17 10.160.43.46 255.255.255.255
config acl rule action ACL-4676297 17 permit
config acl rule add ACL-4676297 18
config acl rule source port range ACL-4676297 18 0 65535
config acl rule protocol ACL-4676297 18 6
config acl rule direction ACL-4676297 18 in
config acl rule destination port range ACL-4676297 18 443 443
config acl rule destination address ACL-4676297 18 10.160.43.85 255.255.255.255
config acl rule action ACL-4676297 18 permit
config acl rule add ACL-4676297 19
config acl rule source port range ACL-4676297 19 0 65535
config acl rule protocol ACL-4676297 19 6
config acl rule direction ACL-4676297 19 in
config acl rule destination port range ACL-4676297 19 443 443
config acl rule destination address ACL-4676297 19 10.160.53.35 255.255.255.255
config acl rule action ACL-4676297 19 permit
config acl rule add ACL-4676297 20
config acl rule source port range ACL-4676297 20 0 65535
config acl rule protocol ACL-4676297 20 6
config acl rule direction ACL-4676297 20 in
config acl rule destination port range ACL-4676297 20 443 443
config acl rule destination address ACL-4676297 20 10.160.53.36 255.255.255.255
config acl rule action ACL-4676297 20 permit
config acl rule add ACL-4676297 21
config acl rule source port range ACL-4676297 21 0 65535
config acl rule protocol ACL-4676297 21 6
config acl rule direction ACL-4676297 21 in
config acl rule destination port range ACL-4676297 21 443 443
config acl rule destination address ACL-4676297 21 10.241.53.25 255.255.255.255
config acl rule action ACL-4676297 21 permit
config acl rule add ACL-4676297 22
config acl rule source port range ACL-4676297 22 0 65535
config acl rule protocol ACL-4676297 22 6
config acl rule direction ACL-4676297 22 in
config acl rule destination port range ACL-4676297 22 443 443
config acl rule destination address ACL-4676297 22 10.241.53.24 255.255.255.255
config acl rule action ACL-4676297 22 permit
config acl rule add ACL-4676297 23
config acl rule source port range ACL-4676297 23 0 65535
config acl rule protocol ACL-4676297 23 6
config acl rule direction ACL-4676297 23 in
config acl rule destination port range ACL-4676297 23 443 443
config acl rule destination address ACL-4676297 23 10.241.43.39 255.255.255.255
config acl rule action ACL-4676297 23 permit
config acl rule add ACL-4676297 24
config acl rule source port range ACL-4676297 24 0 65535
config acl rule protocol ACL-4676297 24 6
config acl rule direction ACL-4676297 24 in
config acl rule destination port range ACL-4676297 24 443 443
config acl rule destination address ACL-4676297 24 10.241.43.38 255.255.255.255
config acl rule action ACL-4676297 24 permit
config acl rule add ACL-4676297 25
config acl rule source port range ACL-4676297 25 0 65535
config acl rule direction ACL-4676297 25 in
config acl rule destination port range ACL-4676297 25 0 65535
config acl rule action ACL-4676297 25 permit
config acl rule add ACL-4676297 26
config acl rule source port range ACL-4676297 26 0 65535
config acl rule protocol ACL-4676297 26 6
config acl rule direction ACL-4676297 26 in
config acl rule destination port range ACL-4676297 26 443 443
config acl rule destination address ACL-4676297 26 10.160.39.33 255.255.255.255
config acl rule action ACL-4676297 26 permit
config acl rule add ACL-4676297 27
config acl rule source port range ACL-4676297 27 0 65535
config acl rule protocol ACL-4676297 27 6
config acl rule direction ACL-4676297 27 in
config acl rule destination port range ACL-4676297 27 443 443
config acl rule destination address ACL-4676297 27 10.160.39.34 255.255.255.255
config acl rule action ACL-4676297 27 permit
config acl rule add ACL-4676297 28
config acl rule source port range ACL-4676297 28 0 65535
config acl rule protocol ACL-4676297 28 6
config acl rule direction ACL-4676297 28 in
config acl rule destination port range ACL-4676297 28 443 443
config acl rule destination address ACL-4676297 28 10.156.57.218 255.255.255.255
config acl rule action ACL-4676297 28 permit
config acl rule add ACL-4676297 29
config acl rule source port range ACL-4676297 29 0 65535
config acl rule protocol ACL-4676297 29 6
config acl rule direction ACL-4676297 29 in
config acl rule destination port range ACL-4676297 29 443 443
config acl rule destination address ACL-4676297 29 10.164.38.154 255.255.255.255
config acl rule action ACL-4676297 29 permit
config acl rule add ACL-4676297 30
config acl rule source port range ACL-4676297 30 0 65535
config acl rule direction ACL-4676297 30 in
config acl rule destination port range ACL-4676297 30 0 65535
config acl rule destination address ACL-4676297 30 10.0.0.0 255.0.0.0
config acl rule add ACL-4676297 31
config acl rule source port range ACL-4676297 31 0 65535
config acl rule direction ACL-4676297 31 in
config acl rule destination port range ACL-4676297 31 0 65535
config acl rule destination address ACL-4676297 31 172.16.0.0 255.240.0.0
config acl rule add ACL-4676297 32
config acl rule source port range ACL-4676297 32 0 65535
config acl rule direction ACL-4676297 32 in
config acl rule destination port range ACL-4676297 32 0 65535
config acl rule destination address ACL-4676297 32 192.168.0.0 255.255.0.0
config acl rule add ACL-4676297 65
config acl rule source port range ACL-4676297 65 0 65535
config acl rule destination port range ACL-4676297 65 0 65535
<===This is the NEW ACL translated from the legacy WLAN controller===>
ip access-list extended ACL-4676297
1 permit ip any any
2 permit 17 any range 0 65535 any eq 53
3 permit 6 any range 0 65535 host 10.156.204.198 eq 443
4 permit 6 any range 0 65535 host 10.160.42.178 eq 443
5 permit 6 any range 0 65535 host 10.160.24.117 eq 443
6 permit 6 any range 0 65535 host 10.160.28.109 eq 443
7 permit 6 any range 0 65535 host 10.160.28.126 eq 443
8 permit 6 any range 0 65535 host 10.164.38.152 eq 443
9 permit 6 any range 0 65535 host 10.164.38.153 eq 443
10 permit 6 any range 0 65535 host 10.164.20.24 eq 443
11 permit 6 any range 0 65535 host 10.164.20.26 eq 443
12 permit 6 any range 0 65535 host 10.156.57.80 eq 443
13 permit 6 any range 0 65535 host 10.160.39.31 eq 443
14 permit 6 any range 0 65535 host 10.160.39.32 eq 443
15 permit 6 any range 0 65535 host 10.156.164.153 eq 443
16 permit 6 any range 0 65535 host 10.156.164.157 eq 443
17 permit 6 any range 0 65535 host 10.160.43.46 eq 443
18 permit 6 any range 0 65535 host 10.160.43.85 eq 443
19 permit 6 any range 0 65535 host 10.160.53.35 eq 443
20 permit 6 any range 0 65535 host 10.160.53.36 eq 443
21 permit 6 any range 0 65535 host 10.241.53.25 eq 443
22 permit 6 any range 0 65535 host 10.241.53.24 eq 443
23 permit 6 any range 0 65535 host 10.241.43.39 eq 443
24 permit 6 any range 0 65535 host 10.241.43.38 eq 443
25 permit ip any any
26 permit 6 any range 0 65535 host 10.160.39.33 eq 443
27 permit 6 any range 0 65535 host 10.160.39.34 eq 443
28 permit 6 any range 0 65535 host 10.156.57.218 eq 443
29 permit 6 any range 0 65535 host 10.164.38.154 eq 443
30 deny ip any 10.0.0.0 0.255.255.255
31 deny ip any 172.16.0.0 0.15.255.255
32 deny ip any 192.168.0.0 0.0.255.255
65 deny ip any any
<===This is the old AirOS ACL from the legacy WLAN controller===>
config acl rule add ACL-6829344 1
config acl rule source port range ACL-6829344 1 0 65535
config acl rule direction ACL-6829344 1 out
config acl rule destination port range ACL-6829344 1 0 65535
config acl rule action ACL-6829344 1 permit
config acl rule add ACL-6829344 2
config acl rule source port range ACL-6829344 2 68 68
config acl rule protocol ACL-6829344 2 17
config acl rule direction ACL-6829344 2 in
config acl rule destination port range ACL-6829344 2 67 67
config acl rule action ACL-6829344 2 permit
config acl rule add ACL-6829344 3
config acl rule source port range ACL-6829344 3 0 65535
config acl rule protocol ACL-6829344 3 17
config acl rule direction ACL-6829344 3 in
config acl rule destination port range ACL-6829344 3 53 53
config acl rule action ACL-6829344 3 permit
config acl rule add ACL-6829344 4
config acl rule source port range ACL-6829344 4 0 65535
config acl rule protocol ACL-6829344 4 6
config acl rule direction ACL-6829344 4 in
config acl rule destination port range ACL-6829344 4 443 443
config acl rule destination address ACL-6829344 4 10.164.38.152 255.255.255.255
config acl rule action ACL-6829344 4 permit
config acl rule add ACL-6829344 5
config acl rule source port range ACL-6829344 5 0 65535
config acl rule protocol ACL-6829344 5 6
config acl rule direction ACL-6829344 5 in
config acl rule destination port range ACL-6829344 5 443 443
config acl rule destination address ACL-6829344 5 10.164.38.153 255.255.255.255
config acl rule action ACL-6829344 5 permit
config acl rule add ACL-6829344 6
config acl rule source port range ACL-6829344 6 0 65535
config acl rule protocol ACL-6829344 6 6
config acl rule direction ACL-6829344 6 in
config acl rule destination port range ACL-6829344 6 443 443
config acl rule destination address ACL-6829344 6 10.164.20.24 255.255.255.255
config acl rule action ACL-6829344 6 permit
config acl rule add ACL-6829344 7
config acl rule source port range ACL-6829344 7 0 65535
config acl rule protocol ACL-6829344 7 6
config acl rule direction ACL-6829344 7 in
config acl rule destination port range ACL-6829344 7 443 443
config acl rule destination address ACL-6829344 7 10.164.20.26 255.255.255.255
config acl rule action ACL-6829344 7 permit
config acl rule add ACL-6829344 8
config acl rule source port range ACL-6829344 8 0 65535
config acl rule protocol ACL-6829344 8 6
config acl rule direction ACL-6829344 8 in
config acl rule destination port range ACL-6829344 8 443 443
config acl rule destination address ACL-6829344 8 10.156.164.153 255.255.255.255
config acl rule action ACL-6829344 8 permit
config acl rule add ACL-6829344 9
config acl rule source port range ACL-6829344 9 0 65535
config acl rule protocol ACL-6829344 9 6
config acl rule direction ACL-6829344 9 in
config acl rule destination port range ACL-6829344 9 443 443
config acl rule destination address ACL-6829344 9 10.156.164.157 255.255.255.255
config acl rule action ACL-6829344 9 permit
config acl rule add ACL-6829344 10
config acl rule source port range ACL-6829344 10 0 65535
config acl rule protocol ACL-6829344 10 6
config acl rule direction ACL-6829344 10 in
config acl rule destination port range ACL-6829344 10 443 443
config acl rule destination address ACL-6829344 10 10.164.38.154 255.255.255.255
config acl rule action ACL-6829344 10 permit
config acl rule add ACL-6829344 11
config acl rule source port range ACL-6829344 11 0 65535
config acl rule protocol ACL-6829344 11 6
config acl rule direction ACL-6829344 11 in
config acl rule destination port range ACL-6829344 11 443 443
config acl rule destination address ACL-6829344 11 10.160.42.158 255.255.255.255
config acl rule action ACL-6829344 11 permit
config acl rule add ACL-6829344 12
config acl rule source port range ACL-6829344 12 0 65535
config acl rule protocol ACL-6829344 12 6
config acl rule direction ACL-6829344 12 in
config acl rule destination port range ACL-6829344 12 443 443
config acl rule destination address ACL-6829344 12 10.160.43.79 255.255.255.255
config acl rule action ACL-6829344 12 permit
config acl rule add ACL-6829344 13
config acl rule source port range ACL-6829344 13 0 65535
config acl rule protocol ACL-6829344 13 6
config acl rule direction ACL-6829344 13 in
config acl rule destination port range ACL-6829344 13 443 443
config acl rule destination address ACL-6829344 13 10.160.43.84 255.255.255.255
config acl rule action ACL-6829344 13 permit
config acl rule add ACL-6829344 14
config acl rule source port range ACL-6829344 14 0 65535
config acl rule protocol ACL-6829344 14 6
config acl rule direction ACL-6829344 14 in
config acl rule destination port range ACL-6829344 14 443 443
config acl rule destination address ACL-6829344 14 10.160.53.21 255.255.255.255
config acl rule action ACL-6829344 14 permit
config acl rule add ACL-6829344 15
config acl rule source port range ACL-6829344 15 0 65535
config acl rule protocol ACL-6829344 15 6
config acl rule direction ACL-6829344 15 in
config acl rule destination port range ACL-6829344 15 443 443
config acl rule destination address ACL-6829344 15 10.160.53.22 255.255.255.255
config acl rule action ACL-6829344 15 permit
config acl rule add ACL-6829344 16
config acl rule source port range ACL-6829344 16 0 65535
config acl rule protocol ACL-6829344 16 6
config acl rule direction ACL-6829344 16 in
config acl rule destination port range ACL-6829344 16 443 443
config acl rule destination address ACL-6829344 16 10.156.204.198 255.255.255.255
config acl rule action ACL-6829344 16 permit
config acl rule add ACL-6829344 17
config acl rule source port range ACL-6829344 17 0 65535
config acl rule protocol ACL-6829344 17 6
config acl rule direction ACL-6829344 17 in
config acl rule destination port range ACL-6829344 17 443 443
config acl rule destination address ACL-6829344 17 10.160.42.178 255.255.255.255
config acl rule action ACL-6829344 17 permit
config acl rule add ACL-6829344 18
config acl rule source port range ACL-6829344 18 0 65535
config acl rule protocol ACL-6829344 18 6
config acl rule direction ACL-6829344 18 in
config acl rule destination port range ACL-6829344 18 443 443
config acl rule destination address ACL-6829344 18 10.160.24.117 255.255.255.255
config acl rule action ACL-6829344 18 permit
config acl rule add ACL-6829344 19
config acl rule source port range ACL-6829344 19 0 65535
config acl rule protocol ACL-6829344 19 6
config acl rule direction ACL-6829344 19 in
config acl rule destination port range ACL-6829344 19 443 443
config acl rule destination address ACL-6829344 19 10.156.44.131 255.255.255.255
config acl rule action ACL-6829344 19 permit
config acl rule add ACL-6829344 20
config acl rule source port range ACL-6829344 20 0 65535
config acl rule protocol ACL-6829344 20 6
config acl rule direction ACL-6829344 20 in
config acl rule destination port range ACL-6829344 20 443 443
config acl rule destination address ACL-6829344 20 10.160.24.241 255.255.255.255
config acl rule action ACL-6829344 20 permit
config acl rule add ACL-6829344 21
config acl rule source port range ACL-6829344 21 0 65535
config acl rule protocol ACL-6829344 21 6
config acl rule direction ACL-6829344 21 in
config acl rule destination port range ACL-6829344 21 443 443
config acl rule destination address ACL-6829344 21 10.160.28.157 255.255.255.255
config acl rule action ACL-6829344 21 permit
config acl rule add ACL-6829344 22
config acl rule source port range ACL-6829344 22 0 65535
config acl rule direction ACL-6829344 22 in
config acl rule destination port range ACL-6829344 22 0 65535
config acl rule destination address ACL-6829344 22 10.0.0.0 255.0.0.0
config acl rule add ACL-6829344 23
config acl rule source port range ACL-6829344 23 0 65535
config acl rule direction ACL-6829344 23 in
config acl rule destination port range ACL-6829344 23 0 65535
config acl rule destination address ACL-6829344 23 172.16.0.0 255.240.0.0
config acl rule add ACL-6829344 24
config acl rule source port range ACL-6829344 24 0 65535
config acl rule direction ACL-6829344 24 in
config acl rule destination port range ACL-6829344 24 0 65535
config acl rule destination address ACL-6829344 24 192.168.0.0 255.255.0.0
config acl rule add ACL-6829344 25
config acl rule source port range ACL-6829344 25 0 65535
config acl rule direction ACL-6829344 25 out
config acl rule destination port range ACL-6829344 25 0 65535
config acl rule action ACL-6829344 25 permit
config acl rule add ACL-6829344 65
config acl rule source port range ACL-6829344 65 0 65535
config acl rule destination port range ACL-6829344 65 0 65535
<===This is the NEW ACL translated from the legacy WLAN controller===>
ip access-list extended ACL-6829344
1 permit ip any any
2 permit 17 any eq 68 any eq 67
3 permit 17 any range 0 65535 any eq 53
4 permit 6 any range 0 65535 host 10.164.38.152 eq 443
5 permit 6 any range 0 65535 host 10.164.38.153 eq 443
6 permit 6 any range 0 65535 host 10.164.20.24 eq 443
7 permit 6 any range 0 65535 host 10.164.20.26 eq 443
8 permit 6 any range 0 65535 host 10.156.164.153 eq 443
9 permit 6 any range 0 65535 host 10.156.164.157 eq 443
10 permit 6 any range 0 65535 host 10.164.38.154 eq 443
11 permit 6 any range 0 65535 host 10.160.42.158 eq 443
12 permit 6 any range 0 65535 host 10.160.43.79 eq 443
13 permit 6 any range 0 65535 host 10.160.43.84 eq 443
14 permit 6 any range 0 65535 host 10.160.53.21 eq 443
15 permit 6 any range 0 65535 host 10.160.53.22 eq 443
16 permit 6 any range 0 65535 host 10.156.204.198 eq 443
17 permit 6 any range 0 65535 host 10.160.42.178 eq 443
18 permit 6 any range 0 65535 host 10.160.24.117 eq 443
19 permit 6 any range 0 65535 host 10.156.44.131 eq 443
20 permit 6 any range 0 65535 host 10.160.24.241 eq 443
21 permit 6 any range 0 65535 host 10.160.28.157 eq 443
22 deny ip any 10.0.0.0 0.255.255.255
23 deny ip any 172.16.0.0 0.15.255.255
24 deny ip any 192.168.0.0 0.0.255.255
25 permit ip any any
65 deny ip any any
- Labels:
-
Catalyst Wireless Controllers
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-09-2023 09:25 AM
- My honest feeling is that when I see all those ACL's is that it would be advisable to let the 9800 be a wireless controller (servicing wireless with the AP's - only ) and transfer the ACL-stuff to firewalling solutions either intranet or internet targeted ; you never see people using so many ACL's on a wireless controller and the solution does not scale in the context of structured management ; in the mean time you can always have the configuration of a (the) 9800 controller reviewed and analyzed with the CLI command : show tech wireless ; feed the output into
https://cway.cisco.com/wireless-config-analyzer/
The latter procedure is 'always advised' before production use of the 9800 but also after (new) configuration changes and upgrades for instance ,
M.
-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-09-2023 10:35 AM
I agree with you 100% - and let the controller be a controller and do the security somewhere else. However I am only changing out the controller and not re-designing the network, unfortunately. I agree, it doesn't scale unless the ACLs are all the same across the organization - if they were, a template could be used to update 150 controller's ACLs at once.
I have used the config analyzer and uploaded the show tech wireless.
I'm wondering if anyone has done a conversion of their AirOS controller and was the output of even the simplest of ACLs negated by the ip any any config line?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-09-2023 01:01 PM - edited 09-09-2023 01:03 PM
Having "permit ip any any" as first line of those new ACLs make no sense, That makes all other entries useless.
HTH
Rasika
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-09-2023 02:36 PM
Rasika,
Yes, that's my point. I'm wondering "if it's me - am I the only one that ran an AirOS config with a dozen ACLs in it through the online config recruiter and actually noticed that the converted ACLs all have a permit any any in the first line"
I could see why this would be intentional. Maybe the makers of the converter wanted to eliminate ACL issues and wrote it to convert the ACL, but then stuck in the permit any any for the engineer to remove later?
I think I either read this or saw it in a video somewhere, and simply dismissed it and now its ringing a bell in my head. I'll gladly send you a config if you want to try running it through the converter, because I would love to be proved wrong. I think this means I am going to have to go through a dozen ACLs and look at each one to very accuracy. Unless I can find documentation that states that the converter installs that permit any any automagically.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-09-2023 03:07 PM
It is an interesting one. Hopefully someone from Cisco can clarify what is the intention of that line (if that is put there on purpose). I have asked Shankar who developed this tool to share some light on it
HTH
Rasika
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-09-2023 04:47 PM
Rasika,
I tried another config. Sure enough, I get an ip any any. I can PM you with a config if you would like to see for yourself. I am wondering if I am doing something wrong here!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-09-2023 07:00 PM - edited 09-09-2023 07:00 PM
Hi Tim,
Thank you for testing it to reconfirm the behaviour you saw. I expect Shankar to get back to us early next week once he test it as well.
I do not think you are doing anything wrong with config translation. (sent you a DM as well)
HTH
Rasika
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-11-2023 05:34 AM
Hi,
Thank you and Rasika for reporting this. I am double confirming my understanding from the C9800 BU but here's what is my understanding thus far:
1. C9800 config converter deliberately adds the permit IP any any statement at the beginning so as to not prevent any management access block if config is directly applied. This is a common practice in some migration tools to ensure that the converted ACLs do not accidentally block any traffic during the migration process. remember this tool is also embedded inside C9800 UI and can be directly applied.
2. The ACL config you pasted as-is will be under unmapped config , however with context of wlan config, we will attempt to translate the ACL config with the permit IP any any up front. If you can mail us your config file at ciscocom-apps-wirelessconfigconverter@cisco.com , we will confirm if the warning messages are clear.
3. Config converter tool is not a plug config and migrate direct tool. There are mandatory user interventions required including ACL configurations. You should see those marked as below:
In your case, it's essential to review and adjust the converted ACLs as necessary to meet your security requirements on the 9800 platform. You should carefully assess and modify these default rules based on your specific network security policies and requirements.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-12-2023 02:59 AM
Hi Shankar,
Thank you very much for getting confirmation of the current behaviour when ACL entries migrated. I think this is something need to clearly document otherwise many will easily overlooked it.
Rasika
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide
