Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
198
Views
0
Helpful
2
Replies

FlexConnect ACL - clients being denied unless subnet allowed?

Chris S
Level 1
Level 1

‎04-04-2024 10:06 AM

Creating a BYOD policy using ISE and a WLC.  I have everything working except i'm missing something with the FlexConnect ACL defined.

In the attached example, the goal is to allow communication to the ISE servers (172.30.10.81/80) as well as DHCP/DNS and some internal HTTPS servers.  All other Internal blocked - but allow for external HTTP/S. 

If I do not have the Sequence 1 and 2 defined (the local subnets for BYOD), clients hit the rule 19 deny. Any feedback why the local subnets need to be alowed?

Preview file
166 KB
0 Helpful
2 Replies 2

Chris S
Level 1
Level 1

‎04-04-2024 01:08 PM

I think I answered my own question? But I didn't realize FlexConnect ACL's were in both directions - so when the external traffic tried to come back in, if I didn't have the local subnet allowed, it would hit the deny statement and be blocked.

0 Helpful

Haydn Andrews
VIP Alumni
VIP Alumni

‎04-04-2024 02:46 PM

FlexConnect ACLs do not support direction per rule. Unlike normal ACLs, Flexconnect ACLs cannot be configured with a direction. An ACL as a whole needs to be applied to an interface as ingress or egress.

https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-2/config-guide/b_cg82/b_cg82_chapter_010010110.pdf 

 

Have also seen people slip the flexconnect ACL for this and do it at SVI level of the VLAN if locally switched.

*****Help out other by using the rating system and marking answered questions as "Answered"*****
*** Please rate helpful posts ***
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card