04-04-2024 10:06 AM
Creating a BYOD policy using ISE and a WLC. I have everything working except i'm missing something with the FlexConnect ACL defined.
In the attached example, the goal is to allow communication to the ISE servers (172.30.10.81/80) as well as DHCP/DNS and some internal HTTPS servers. All other Internal blocked - but allow for external HTTP/S.
If I do not have the Sequence 1 and 2 defined (the local subnets for BYOD), clients hit the rule 19 deny. Any feedback why the local subnets need to be alowed?
04-04-2024 01:08 PM
I think I answered my own question? But I didn't realize FlexConnect ACL's were in both directions - so when the external traffic tried to come back in, if I didn't have the local subnet allowed, it would hit the deny statement and be blocked.
04-04-2024 02:46 PM
FlexConnect ACLs do not support direction per rule. Unlike normal ACLs, Flexconnect ACLs cannot be configured with a direction. An ACL as a whole needs to be applied to an interface as ingress or egress.
Have also seen people slip the flexconnect ACL for this and do it at SVI level of the VLAN if locally switched.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide