Tags
In this post we will see how to configure an ACL on a WLC via CLI. Let’s assume following ACL (in IOS syntax) you want to create on a WLC & apply it on a guest WLAN.
permit udp any any eq 53 permit udp any eq 53 any permit ip any host 10.11.6.244 permit ip host 10.11.6.244 any deny ip any any
In WLC how you do this. First you need to create an ACL on WLC & then add rules onto that.
(4402-a) >config acl ?
apply Applies the ACL to the data path.
counter Start/Stop the ACL Counters.
cpu Configure the CPU Acl Information
create Create a new ACL.
delete Delete an ACL.
rule Configure rules in the ACL.
(4402-a) >config acl create ?
<name> Enter ACL name up to 32 alphanumeric characters.
(4402-a) >config acl create acl-guest
When adding rules, it is not like single entry as in IOS. You have to configure source port, destination port, action as individual lines. For the rule1 you need to specify
Action: Permit
Protocol : 17 (UDP)
Source Address :Default to any (no explicit config required)
Source port range : 0 65535 (any)
Destination Address : Not required, default to any
Destination Port range : 53 53 (DNS)
Direction : any (no explicit config required)
Here how you do this.
(4402-a) >config acl rule ? action Configure a rule's action. add Add a new rule. change Change a rule's index. delete Delete a rule. destination Configure a rule's destination IP address, netmask and port range. direction Configure a rule's direction. dscp Configure a rule's DSCP. protocol Configure a rule's IP Protocol. source Configure a rule's source IP address, netmask and port range. swap Swap two rules' indices. (4402-a) >config acl rule add ? <name> Enter ACL name up to 32 alphanumeric characters. (4402-a) >config acl rule add acl-guest ? <index> Enter rule index between 1 and 64. (4402-a) >config acl rule add acl-guest 1 (4402-a) >config acl rule protocol ? <name> Enter ACL name up to 32 alphanumeric characters. (4402-a) >config acl rule protocol acl-guest ? <index> Enter rule index between 1 and 64. (4402-a) >config acl rule protocol acl-guest 1 ? <protocol> Enter a number between 0 and 255, or 'any'. (4402-a) >config acl rule protocol acl-guest 1 17 (4402-a) >config acl rule action ? <name> Enter ACL name up to 32 alphanumeric characters. (4402-a) >config acl rule action acl-guest ? <index> Enter rule index between 1 and 64. (4402-a) >config acl rule action acl-guest 1 ? <action permit/deny>Enter action: permit/deny. (4402-a) >config acl rule action acl-guest 1 permit (4402-a) >config acl rule source port ? range Configure a rule's source port range. (4402-a) >config acl rule source port range ? <name> Enter ACL name up to 32 alphanumeric characters. (4402-a) >config acl rule source port range acl-guest ? <index> Enter rule index between 1 and 64. (4402-a) >config acl rule source port range acl-guest 1 ? <start port> Enter port number between 0 and 65535. (4402-a) >config acl rule source port range acl-guest 1 0 ? <end port> Enter port number between 0 and 65535. (4402-a) >config acl rule source port range acl-guest 1 0 65535 (4402-a) >config acl rule destination port range acl-guest 1 ? <start port> Enter port number between 0 and 65535. (4402-a) >config acl rule destination port range acl-guest 1 53 ? <end port> Enter port number between 0 and 65535. (4402-a) >config acl rule destination port range acl-guest 1 53 53
In summary here is the rule1 configuration lines.
config acl rule add acl-guest 1 config acl rule action acl-guest 1 permit config acl rule protocol acl-guest 1 17 config acl rule source port range acl-guest 1 0 65535 config acl rule destination port range acl-guest 1 53 53
If you copy this to notepad & then modify the rule index, protocol, source,destination, action details you can derive other rules. Here is the other rules derived in that way.
config acl rule add acl-guest 2 config acl rule action acl-guest 2 permit config acl rule protocol acl-guest 2 17 config acl rule source port range acl-guest 2 53 53 config acl rule destination port range acl-guest 2 0 65535 config acl rule add acl-guest 3 config acl rule action acl-guest 3 permit config acl rule protocol acl-guest 3 any config acl rule source port range acl-guest 3 0 65535 config acl rule destination address acl-guest 3 10.11.6.244 255.255.255.255 config acl rule destination port range acl-guest 3 0 65535 config acl rule add acl-guest 4 config acl rule action acl-guest 4 permit config acl rule protocol acl-guest 4 any config acl rule source address acl-guest 4 10.11.6.244 255.255.255.255 config acl rule source port range acl-guest 4 0 65535 config acl rule destination port range acl-guest 4 0 65535 config acl rule add acl-guest 5 config acl rule action acl-guest 5 deny config acl rule protocol acl-guest 5 any config acl rule source port range acl-guest 5 0 65535 config acl rule destination port range acl-guest 5 0 65535
If you look at the WLC configuration afterwards it will looks like this related to ACL config. As you can see here by default, protocols/ source-destination address & ports are “any”. So you do not want to configure it if you want to choose “any option”.
Also like normal IOS ACL implied deny rule will be there (index number 65). So you do not want to configure deny any any rules explicitly. Because of this you need to ensure all required protocols are permitted if the given task does not allow to use permit any any rule.
config acl create acl-guest config acl rule add acl-guest 1 config acl rule destination port range acl-guest 1 53 53 config acl rule protocol acl-guest 1 17 config acl rule action acl-guest 1 permit config acl rule add acl-guest 2 config acl rule protocol acl-guest 2 17 config acl rule action acl-guest 2 permit config acl rule source port range acl-guest 2 53 53 config acl rule add acl-guest 3 config acl rule destination address acl-guest 3 10.11.6.244 255.255.255.255 config acl rule action acl-guest 3 permit config acl rule add acl-guest 4 config acl rule action acl-guest 4 permit config acl rule source address acl-guest 4 10.11.6.244 255.255.255.255 config acl rule add acl-guest 5 config acl rule add acl-guest 65
Finally you can apply ACL onto data path. Also if you want to enable ACL counters you can do that as well. If you apply an ACL to a WLAN it will override the interface ALC.
(4402-a) >config acl counter ? start Start ACL Counters. stop Stop ACL Counters. (4402-a) >config acl counter start (4402-a) >config acl apply ? <name> Enter ACL name up to 32 alphanumeric characters. (4402-a) >config acl apply acl-guest. (4402-a) >config wlan acl <wlan-id> <acl-name>
In GUI, it will be looks like this .
You can verify your config by using “show acl summary” and “show acl detailed <acl-name> ” CLI commands as shown below.
(4402-a) >show acl summary ACL Counter Status Enabled ---------------------------------------- ACL Name Applied -------------------------------- ------- acl-guest Yes (4402-a) >show acl detailed acl-guest Source Destination Source Port Dest Port Index Dir IP Address/Netmask IP Address/Netmask Prot Range Range DSCP Action Counter ------ --- ------------------------------- ------------------------------- ---- ----------- ----------- ----- ------- ----------- 1 Any 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 17 0-65535 53-53 Any Permit 0 2 Any 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 17 53-53 0-65535 Any Permit 0 3 Any 0.0.0.0/0.0.0.0 10.11.6.244/255.255.255.255 Any 0-65535 0-65535 Any Permit 0 4 Any 10.11.6.244/255.255.255.255 0.0.0.0/0.0.0.0 Any 0-65535 0-65535 Any Permit 0 5 Any 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 Any 0-65535 0-65535 Any Deny 0 DenyCounter : 0
.
mrn-cciew 
Good post! Some tasks like the ACL might take more time in CLI than GUI….unless people experience similar GUI lag like yours in exam.
Hi Prasanna,
Thanks… Yes it is easy configure ACL via GUI. But if you want to replicate same ACL entry into multiple controller, I thing you should better off copy & paste CLI commands rather going through clicks on every & each controller.
Unless I had this slowness issue , I do not think I will learn this CLI commands this extend… take that as positive thing & learn stuff.
As I said earlier people who are complaining are the one who go to Sydney lab.. I do not think GUI slowness issue is there anywhere else up to that extend..
HTH
Rasika
Always wondered if there was a hidden command that will show the config just like Cisco IOS. Then we can configure gui and get the commandline config to replicate.
sh run-config does not help us.
May be the command I was looking was sh run-config commands!!
Answering to my own question….backup of the WLC configuration shows the actual config. So we have to do the initial config on CLI or GUI. Extract the WLC configuration through “Upload file to controller”. Is this there a better way?
I think this is the best way even though it involve few steps. Normally WCS is having default TFTP server & even during the exam we can do this.
Show run commands not show the config lines as we wanted to replicate in another controller.
Thanks for clarifying!
Hey. Great posts on your blog. I find I’m often referencing them for info and guidance.
I’ve been configuring ACLs on a 5508 (v8.0.100.0) for a transport system that is uploading data via UDP. What I’m finding in Wireshark is that parts of fragmented packets are being dropped in the WLC by the ACL. The WLC is lightly loaded. If I remove the ACL it works fine. I’ve logged a call with Cisco but so far they haven’t really admitted there is a problem. Just wondering if you’ve ever experienced a similar issue?
I haven’t come across something like that.
As a practice, I may use ACL in WLC only in Guest scenario (pre-auth ACL) & all other cases L3 switch is the place if I want to apply some ACL.
So try to see apply ACL at your L3 switch & see if the behavior is same
HTH
Rasika
Hello Nayarasi,
I have implemented SNMP in WLC. I am able to ping WLC from SNMP server but from WLC SNMP server is not reachable even with different source interface.
SNMP server is doing polling at ICMP level only but not at SNMP level due to this LWAP aps are not getting polled.
Do i have to apply in acl for SNMP in WLC
For autonomous AP i am applying below ACL –
access-list 80 permit 57.8.0.0 0.0.127.255
access-list 90 permit 172.18.143.16 0.0.0.15
access-list 96 deny any
ip access-list standard CIC-SERVERS-RO
permit 172.18.143.16 0.0.0.1
snmp-server community cp8S52BB view PingMIB RW 80
snmp-server community Pitalan RO 80
snmp-server community tp159109 view SAAProbe RW 80
snmp-server community GH57p7p3 RO 96
snmp-server community PIC ro 90
snmp-server community PIC rw