Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
211
Views
1
Helpful
6
Replies

Flex Connect AP Profile and 2702 no ACL

u2637ps
Level 1
Level 1

‎02-06-2025 10:30 AM

Does anyone know why 2702 don't download an ACL. The scenario I am working with is 9800 17.9.6 flex connect and ISE. All clients use the same SSID. The ACL is 50 lines long and relates to creating a Quarantine area until the user signs on. The issue I have is that the 2702 don't pick up the Acl and the clients go into the exclusion area with ACL failure

In my test area using AP280 I have no issues. The 2702 are in geographically diverse areas in Australia so swapping them out would be difficult

0 Helpful
6 Replies 6

Scott Fella
Hall of Fame
Hall of Fame

‎02-06-2025 10:42 AM - edited ‎02-06-2025 10:53 AM

Just to make sure, you are using Flexconnect Central Switching in both your lab and production?  I don't think dACL are supported in local switching. I did see something about 2700's do not support dACL in Flex, but trying to find a link.

Prerequisites

The idea behind this document is to demonstrate dACLs usage on Catalyst 9800 through a basic SSID configuration example, showing how these can be fully customizable.

On Catalyst 9800 wireless controller, downloadable ACLs are

  • Supported starting from Cisco IOS XE Dublin 17.10.1 release.

  • Supported for centralized controller with Local mode Access Points only (or Flexconnect central switching). FlexConnect Local Switching does not support dACL.

-Scott
*** Please rate helpful posts ***
0 Helpful

u2637ps
Level 1
Level 1
In response to Scott Fella

‎02-06-2025 10:59 AM

Thanks Scott I haven't explained my scenario well enough. This is where the ACL is on the controller and ICE specifies to use the ACL. So on the Controller you specify Policy ACL on the site  and in Policy for the WLAN you specify WAN ACL. In ISE you specify the Airspace ACL which has to match up with the Policy ACL and WLAN ACL. So when the ISE criterion fits the AP restricts access to the particular client. The ACL is sent to the AP's by the controller. This is supported in 17.9.6 

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to u2637ps

‎02-06-2025 12:35 PM

Ah okay so you are using the named acl not dACL.  Have you tried to open a case with TAC?

-Scott
*** Please rate helpful posts ***
0 Helpful

u2637ps
Level 1
Level 1
In response to Scott Fella

‎02-06-2025 01:40 PM

Yes I just wondered if anyone else has had this. I wil update once TAC has comeback

Haydn Andrews
VIP
VIP

‎02-06-2025 03:19 PM

The 2700 APs whilst supported on 17.9 code are restricted to features supported on 17.3 code due to them being EOL. 

You will most likely find TAC advise that those APs are not supported. I have had that on a few cases 

 

*****Help out other by using the rating system and marking answered questions as "Answered"*****
*** Please rate helpful posts ***
0 Helpful

u2637ps
Level 1
Level 1
In response to Haydn Andrews

‎02-10-2025 02:42 PM

Hi

I found an old 2702 and added it to my Test environment. In my Test environment it worked as expected and recieved the ACL. I will do the change again and try and work out why some don't

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card