In this post we will see how to configure an ACL on a WLC via CLI. Let’s assume following ACL (in IOS syntax) you want to create on a WLC & apply it on a guest WLAN.
permit udp any any eq 53 permit udp any eq 53 any permit ip any host 10.11.6.244 permit ip host 10.11.6.244 any deny ip any any
In WLC how you do this. First you need to create an ACL on WLC & then add rules onto that.
(4402-a) >config acl ?
apply Applies the ACL to the data path.
counter Start/Stop the ACL Counters.
cpu Configure the CPU Acl Information
create Create a new ACL.
delete Delete an ACL.
rule Configure rules in the ACL.
(4402-a) >config acl create ?
<name> Enter ACL name up to 32 alphanumeric characters.
(4402-a) >config acl create acl-guest
When adding rules, it is not like single entry as in IOS. You have to configure source port, destination port, action as individual lines. For the rule1 you need to specify
Action: Permit
Protocol : 17 (UDP)
Source Address :Default to any (no explicit config required)
Source port range : 0 65535 (any)
Destination Address : Not required, default to any
Destination Port range : 53 53 (DNS)
Direction : any (no explicit config required)
Here how you do this.
(4402-a) >config acl rule ? action Configure a rule's action. add Add a new rule. change Change a rule's index. delete Delete a rule. destination Configure a rule's destination IP address, netmask and port range. direction Configure a rule's direction. dscp Configure a rule's DSCP. protocol Configure a rule's IP Protocol. source Configure a rule's source IP address, netmask and port range. swap Swap two rules' indices. (4402-a) >config acl rule add ? <name> Enter ACL name up to 32 alphanumeric characters. (4402-a) >config acl rule add acl-guest ? <index> Enter rule index between 1 and 64. (4402-a) >config acl rule add acl-guest 1 (4402-a) >config acl rule protocol ? <name> Enter ACL name up to 32 alphanumeric characters. (4402-a) >config acl rule protocol acl-guest ? <index> Enter rule index between 1 and 64. (4402-a) >config acl rule protocol acl-guest 1 ? <protocol> Enter a number between 0 and 255, or 'any'. (4402-a) >config acl rule protocol acl-guest 1 17 (4402-a) >config acl rule action ? <name> Enter ACL name up to 32 alphanumeric characters. (4402-a) >config acl rule action acl-guest ? <index> Enter rule index between 1 and 64. (4402-a) >config acl rule action acl-guest 1 ? <action permit/deny>Enter action: permit/deny. (4402-a) >config acl rule action acl-guest 1 permit (4402-a) >config acl rule source port ? range Configure a rule's source port range. (4402-a) >config acl rule source port range ? <name> Enter ACL name up to 32 alphanumeric characters. (4402-a) >config acl rule source port range acl-guest ? <index> Enter rule index between 1 and 64. (4402-a) >config acl rule source port range acl-guest 1 ? <start port> Enter port number between 0 and 65535. (4402-a) >config acl rule source port range acl-guest 1 0 ? <end port> Enter port number between 0 and 65535. (4402-a) >config acl rule source port range acl-guest 1 0 65535 (4402-a) >config acl rule destination port range acl-guest 1 ? <start port> Enter port number between 0 and 65535. (4402-a) >config acl rule destination port range acl-guest 1 53 ? <end port> Enter port number between 0 and 65535. (4402-a) >config acl rule destination port range acl-guest 1 53 53
In summary here is the rule1 configuration lines.
config acl rule add acl-guest 1 config acl rule action acl-guest 1 permit config acl rule protocol acl-guest 1 17 config acl rule source port range acl-guest 1 0 65535 config acl rule destination port range acl-guest 1 53 53
If you copy this to notepad & then modify the rule index, protocol, source,destination, action details you can derive other rules. Here is the other rules derived in that way.
config acl rule add acl-guest 2 config acl rule action acl-guest 2 permit config acl rule protocol acl-guest 2 17 config acl rule source port range acl-guest 2 53 53 config acl rule destination port range acl-guest 2 0 65535 config acl rule add acl-guest 3 config acl rule action acl-guest 3 permit config acl rule protocol acl-guest 3 any config acl rule source port range acl-guest 3 0 65535 config acl rule destination address acl-guest 3 10.11.6.244 255.255.255.255 config acl rule destination port range acl-guest 3 0 65535 config acl rule add acl-guest 4 config acl rule action acl-guest 4 permit config acl rule protocol acl-guest 4 any config acl rule source address acl-guest 4 10.11.6.244 255.255.255.255 config acl rule source port range acl-guest 4 0 65535 config acl rule destination port range acl-guest 4 0 65535 config acl rule add acl-guest 5 config acl rule action acl-guest 5 deny config acl rule protocol acl-guest 5 any config acl rule source port range acl-guest 5 0 65535 config acl rule destination port range acl-guest 5 0 65535
If you look at the WLC configuration afterwards it will looks like this related to ACL config. As you can see here by default, protocols/ source-destination address & ports are “any”. So you do not want to configure it if you want to choose “any option”.
Also like normal IOS ACL implied deny rule will be there (index number 65). So you do not want to configure deny any any rules explicitly. Because of this you need to ensure all required protocols are permitted if the given task does not allow to use permit any any rule.
config acl create acl-guest config acl rule add acl-guest 1 config acl rule destination port range acl-guest 1 53 53 config acl rule protocol acl-guest 1 17 config acl rule action acl-guest 1 permit config acl rule add acl-guest 2 config acl rule protocol acl-guest 2 17 config acl rule action acl-guest 2 permit config acl rule source port range acl-guest 2 53 53 config acl rule add acl-guest 3 config acl rule destination address acl-guest 3 10.11.6.244 255.255.255.255 config acl rule action acl-guest 3 permit config acl rule add acl-guest 4 config acl rule action acl-guest 4 permit config acl rule source address acl-guest 4 10.11.6.244 255.255.255.255 config acl rule add acl-guest 5 config acl rule add acl-guest 65
Finally you can apply ACL onto data path. Also if you want to enable ACL counters you can do that as well. If you apply an ACL to a WLAN it will override the interface ALC.
(4402-a) >config acl counter ? start Start ACL Counters. stop Stop ACL Counters. (4402-a) >config acl counter start (4402-a) >config acl apply ? <name> Enter ACL name up to 32 alphanumeric characters. (4402-a) >config acl apply acl-guest. (4402-a) >config wlan acl <wlan-id> <acl-name>
In GUI, it will be looks like this .
You can verify your config by using “show acl summary” and “show acl detailed <acl-name> ” CLI commands as shown below.
(4402-a) >show acl summary ACL Counter Status Enabled ---------------------------------------- ACL Name Applied -------------------------------- ------- acl-guest Yes (4402-a) >show acl detailed acl-guest Source Destination Source Port Dest Port Index Dir IP Address/Netmask IP Address/Netmask Prot Range Range DSCP Action Counter ------ --- ------------------------------- ------------------------------- ---- ----------- ----------- ----- ------- ----------- 1 Any 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 17 0-65535 53-53 Any Permit 0 2 Any 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 17 53-53 0-65535 Any Permit 0 3 Any 0.0.0.0/0.0.0.0 10.11.6.244/255.255.255.255 Any 0-65535 0-65535 Any Permit 0 4 Any 10.11.6.244/255.255.255.255 0.0.0.0/0.0.0.0 Any 0-65535 0-65535 Any Permit 0 5 Any 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 Any 0-65535 0-65535 Any Deny 0 DenyCounter : 0
.
Related Posts
1. WLC – Access Control List (ACL)
