Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
378
Views
1
Helpful
4
Replies

I am curious about the purpose of the ACLs created on the WLC 9800.

Go to solution
JJJHL
Beginner
Beginner

‎04-13-2023 06:57 PM

Those ACLs are
ACL on 9800.

not user generated
It appears to have been created by WLC itself.

Could you by any chance know the purpose of each ACL?

-IP-Adm-V4-Int-ACL-global

-implicit_deny

-implicit_permit

-preauth_v4

-meraki-fqdn-dns

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rich R
VIP Advisor VIP Advisor
VIP Advisor

‎04-14-2023 08:34 AM

There are some ACLs which are autoconfigured when you use webauth and their contents are based on the webauth config you provide - and those can't be changed manually, or if you do IOS will overwrite your changes. For example:
IP-Adm-V4-Int-ACL-global
IP-Adm-V4-LOGOUT-ACL
WA-sec-<redirect portal IP>
WA-v4-int-<redirect portal IP>
Most of the names are self-explanatory.

meraki-fqdn-dns doesn't seem to have any content (ACEs) by default so I'd guess that it will only be populated if you do something that requires it, like migrating CW APs to the Meraki dashboard.

------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's   and   Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
Field Notice: FN-63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN-72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN-72524 - During Software Upgrade/Downgrade IOS APs Might Remain in Downloading State
     after 4 Dec 2022 Due to Certificate Expiration - Fixed in 8.10.185.3 and latest 9800 IOS-XE releases
     also fixed in 8.5.182.11 (8.5 mainline) and 8.5.182.108 (8.5 IRCM) if you can't upgrade to 8.10
     TAC confirmed that Mobility Express AP TFTP download is not affected so ME 8.5.182.0 still works but see FN-74035 below
Field Notice: FN-70479 Out-Of-The-Box AP Fails to Join WLC or Joins with Single Radio due to Country Mismatch - RMA required
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN-74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
     fixed in 8.10.185.3 and see the field notice for 8.5, Mobility Express and other fixed releases
Check your WLC config with Wireless Config Analyzer using "show tech wireless" output (9800) or "config paging disable" then "show run-config" output (AireOS) and use Wireless Debug Analyzer to analyze your WLC client debugs
Leo Laohoo's list of bugs affecting 2800/3800/4800/1560 APs

View solution in original post

4 Replies 4

Go to solution
Scott Fella
Hall of Fame Guru Hall of Fame Guru
Hall of Fame Guru

‎04-13-2023 07:58 PM

I think what would be better is to review of IOS acl's in general.  These are just default, you can use as a template or even add to them if you want.  They are not applied unless you apply them.  Just look and research understanding/configuration IOS acl's to just get a basic idea of how to create one and apply one.  Then its easier to look at what you have, not just on the 9800 and understand what the all is doing.

-Scott
*** Please rate helpful posts ***
0 Helpful

Go to solution
Rich R
VIP Advisor VIP Advisor
VIP Advisor

‎04-14-2023 08:34 AM

There are some ACLs which are autoconfigured when you use webauth and their contents are based on the webauth config you provide - and those can't be changed manually, or if you do IOS will overwrite your changes. For example:
IP-Adm-V4-Int-ACL-global
IP-Adm-V4-LOGOUT-ACL
WA-sec-<redirect portal IP>
WA-v4-int-<redirect portal IP>
Most of the names are self-explanatory.

meraki-fqdn-dns doesn't seem to have any content (ACEs) by default so I'd guess that it will only be populated if you do something that requires it, like migrating CW APs to the Meraki dashboard.

------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's   and   Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
Field Notice: FN-63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN-72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN-72524 - During Software Upgrade/Downgrade IOS APs Might Remain in Downloading State
     after 4 Dec 2022 Due to Certificate Expiration - Fixed in 8.10.185.3 and latest 9800 IOS-XE releases
     also fixed in 8.5.182.11 (8.5 mainline) and 8.5.182.108 (8.5 IRCM) if you can't upgrade to 8.10
     TAC confirmed that Mobility Express AP TFTP download is not affected so ME 8.5.182.0 still works but see FN-74035 below
Field Notice: FN-70479 Out-Of-The-Box AP Fails to Join WLC or Joins with Single Radio due to Country Mismatch - RMA required
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN-74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
     fixed in 8.10.185.3 and see the field notice for 8.5, Mobility Express and other fixed releases
Check your WLC config with Wireless Config Analyzer using "show tech wireless" output (9800) or "config paging disable" then "show run-config" output (AireOS) and use Wireless Debug Analyzer to analyze your WLC client debugs
Leo Laohoo's list of bugs affecting 2800/3800/4800/1560 APs

Go to solution
JJJHL
Beginner
Beginner
In response to Rich R

‎04-16-2023 11:15 PM

thanks.

Do you know what implicit_deny/permit is for?

0 Helpful

Go to solution
Rich R
VIP Advisor VIP Advisor
VIP Advisor
In response to JJJHL

‎04-17-2023 01:05 AM - edited ‎04-17-2023 01:08 AM

Presume you mean what are they used for - no idea - could be anything - but the names are paradoxical because they are both explicit rather than implicit LOL
9800#sh ip access-lists implicit_deny
Extended IP access list implicit_deny
10 deny ip any any
9800#sh ip access-lists implicit_permit
Extended IP access list implicit_permit
10 permit ip any any

More accurate names would have been permit_all and deny_all but who are we to question the wisdom of the devs...

------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's   and   Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
Field Notice: FN-63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN-72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN-72524 - During Software Upgrade/Downgrade IOS APs Might Remain in Downloading State
     after 4 Dec 2022 Due to Certificate Expiration - Fixed in 8.10.185.3 and latest 9800 IOS-XE releases
     also fixed in 8.5.182.11 (8.5 mainline) and 8.5.182.108 (8.5 IRCM) if you can't upgrade to 8.10
     TAC confirmed that Mobility Express AP TFTP download is not affected so ME 8.5.182.0 still works but see FN-74035 below
Field Notice: FN-70479 Out-Of-The-Box AP Fails to Join WLC or Joins with Single Radio due to Country Mismatch - RMA required
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN-74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
     fixed in 8.10.185.3 and see the field notice for 8.5, Mobility Express and other fixed releases
Check your WLC config with Wireless Config Analyzer using "show tech wireless" output (9800) or "config paging disable" then "show run-config" output (AireOS) and use Wireless Debug Analyzer to analyze your WLC client debugs
Leo Laohoo's list of bugs affecting 2800/3800/4800/1560 APs
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Spotlight Award Nomination
Customers Also Viewed These Support Documents