Solved: I am curious about the purpose of the ACLs created on the WLC 9800.

CCC3 · ‎04-13-2023

Those ACLs are
ACL on 9800.

not user generated
It appears to have been created by WLC itself.

Could you by any chance know the purpose of each ACL?

-IP-Adm-V4-Int-ACL-global

-implicit_deny

-implicit_permit

-preauth_v4

-meraki-fqdn-dns

Rich R · ‎04-14-2023

There are some ACLs which are autoconfigured when you use webauth and their contents are based on the webauth config you provide - and those can't be changed manually, or if you do IOS will overwrite your changes. For example:
IP-Adm-V4-Int-ACL-global
IP-Adm-V4-LOGOUT-ACL
WA-sec-<redirect portal IP>
WA-v4-int-<redirect portal IP>
Most of the names are self-explanatory.

meraki-fqdn-dns doesn't seem to have any content (ACEs) by default so I'd guess that it will only be populated if you do something that requires it, like migrating CW APs to the Meraki dashboard.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

View solution in original post

Scott Fella · ‎04-13-2023

I think what would be better is to review of IOS acl's in general. These are just default, you can use as a template or even add to them if you want. They are not applied unless you apply them. Just look and research understanding/configuration IOS acl's to just get a basic idea of how to create one and apply one. Then its easier to look at what you have, not just on the 9800 and understand what the all is doing.

-Scott
*** Please rate helpful posts ***

Rich R · ‎04-14-2023

There are some ACLs which are autoconfigured when you use webauth and their contents are based on the webauth config you provide - and those can't be changed manually, or if you do IOS will overwrite your changes. For example:
IP-Adm-V4-Int-ACL-global
IP-Adm-V4-LOGOUT-ACL
WA-sec-<redirect portal IP>
WA-v4-int-<redirect portal IP>
Most of the names are self-explanatory.

meraki-fqdn-dns doesn't seem to have any content (ACEs) by default so I'd guess that it will only be populated if you do something that requires it, like migrating CW APs to the Meraki dashboard.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

CCC3 · ‎04-16-2023

thanks.

Do you know what implicit_deny/permit is for?

Rich R · ‎04-17-2023

Presume you mean what are they used for - no idea - could be anything - but the names are paradoxical because they are both explicit rather than implicit LOL
9800#sh ip access-lists implicit_deny
Extended IP access list implicit_deny
10 deny ip any any
9800#sh ip access-lists implicit_permit
Extended IP access list implicit_permit
10 permit ip any any

More accurate names would have been permit_all and deny_all but who are we to question the wisdom of the devs...

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390