Flex ACLs are not visible on AP 3802 joined to WLC 9800

nyuszy · ‎07-12-2021

Hi,

I am about to migrate sites with 3802 APs from Aironet 5520 to Catalyst 9800.
Apparently none of the custom ACLs are downloaded to AP, regardless of their type and ACEs, the only ones seem to be visible after adding them to Flex group are the predefined implicit_deny and implicit_permit. Even if I recreate their content as custom ACL, it's not visible on AP level when I issue a "show ip access-lists" command.

Any idea what do I do wrong?

Rps-Cheers · ‎07-12-2021

There is a limitation :

Standard ACL is not supported on FlexConnect AP mode

FlexConnect does not support IPv6 ACLs

https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/config-guide/b_wl_16_10_cg/flexconnect.html

Linking an ACL Policy to the Defined ACL (GUI)

Procedure

Step 1	Choose Configuration > Tags & Profiles > Flex.
Step 2	Click Add.
Step 3	In the General tab, enter the Name of the Flex Profile. The name can be ASCII characters from 32 to 126, without leading and trailing spaces.
Step 4	In the Policy ACL tab, click Add.
Step 5	Select the ACL from the ACL Name drop-down list and click Save.
Step 6	Click Apply to Device.

Applying ACLs on FlexConnect

Procedure

Device# configure terminal
Device(config)# wireless profile flex Flex-profile-1
Device(config-wireless-flex-profile)# acl-policy ACL1
Device(config-wireless-flex-profile-acl)# exit
Device(config-wireless-flex-profile)# native-vlan-id 25
Device(config-wireless-flex-profile)# vlan-name VLAN0169
Device(config-wireless-flex-profile-vlan)# acl ACL1
Device(config-wireless-flex-profile-vlan)# vlan-id 169

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Rps-Cheers | If it solves your problem, please mark as answer. Thanks !