FlexConnect Access Control Lists
An access control list (ACL) is a set of rules used to limit access to a particular interface (for example, if you want to restrict a wireless client from pinging the management interface of the controller). ACLs enable access control of network traffic. After ACLs are configured on the controller, you can apply them to the management interface, the AP-Manager interface, any of the dynamic interfaces, or a WLAN. ACLs enable you to control data traffic to and from wireless clients or to the controller CPU. You can configure ACLs on FlexConnect access points to enable effective usage and access control of locally switched data traffic on an access point.
The FlexConnect ACLs can be applied to VLAN interfaces on access points in both the Ingress and Egress mode.
Existing interfaces on an access point can be mapped to ACLs. The interfaces can be created by configuring a WLAN-VLAN mapping on a FlexConnect access point.
The FlexConnect ACLs can be applied to an access point’s VLAN only if VLAN support is enabled on the FlexConnect access point.
Related Information
-
To set up location authentication, see the FlexConnect chapter of the Enterprise Mobility Design Guide.
This section contains the following subsections:
Restrictions for FlexConnect Access Control Lists
-
FlexConnect ACLs can be applied only to FlexConnect access points. The configurations applied are per AP and per VLAN.
-
FlexConnect ACLs are supported on the native VLAN.
Note
FlexConnect ACLs are not supported on native VLAN when setting comes from FlexConnect Group.
-
You can configure up to 512 ACLs on a Cisco Wireless Controller. Each rule has parameters that affect its action. When a packet matches all the parameters pertaining to a rule, the action set pertaining to that rule is applied to the packet.
-
You can define 64 IPv4 address based rules in each ACL.
-
You can define up to 20 URL domain based rules (or filters).
-
-
Non-FlexConnect ACLs that are configured on the controller cannot be applied to a FlexConnect AP.
-
FlexConnect ACLs do not support direction per rule. Unlike normal ACLs, Flexconnect ACLs cannot be configured with a direction. An ACL as a whole needs to be applied to an interface as ingress or egress.
-
All ACLs have an implicit deny all rule as the last rule. If a packet does not match any of the rules, it is dropped by the corresponding access point.
-
ACLs mapping on the VLANs that are created on an AP using WLAN-VLAN mapping, should be performed on a per-AP basis only. VLANs can be created on a FlexConnect group for AAA override. These VLANs will not have any mapping for a WLAN.
-
ACLs for VLANs that are created on a FlexConnect group should be mapped only on the FlexConnect group. If the same VLAN is present on the corresponding AP as well as the FlexConnect group, AP VLAN will take priority. This means that if no ACL is mapped on the AP, the VLAN will not have any ACL, even if the ACL is mapped to the VLAN on the FlexConnect group.
-
Ensure the FlexConnect ACL and the regular ACL names are not the same while configuring a WLAN for FlexConnect local switching.
-
AAA client ACL support:
-
Before the AAA sends the client ACL, ensure that the ACL is created on a FlexConnect group or an AP. The ACL is not downloaded to the AP dynamically when the client gets associated with the AP.
-
A maximum of 96 ACLs can be configured on an AP. Each ACL can have a maximum of 64 rules.
-
FlexConnect ACLs do not have directions. The entire ACL is applied as ingress or egress.
-
The ACL returned by the AAA is applied on both ingress and egress on the 802.11 side of the client.
-
-
Cisco Wave 2 and 802.11ax APs: When FlexConnect ACLs are applied to both wired and 802.11 interfaces, the client traffic honors only the ACL that is mapped to the 802.11 interface and not the ACL that is mapped to the wired interface.
Note |
A Local Switching WLAN is configured and ACL is mapped to a FlexConnect group with an ACL. The ACL has set of deny and permit rules. When you associate a client to the WLAN, the client needs to have DHCP permit rule added for getting the IP address. |
Configuring FlexConnect Access Control Lists (GUI)
Procedure
Step 1 |
Choose .The FlexConnect ACL page is displayed. This page lists all the FlexConnect ACLs configured on the controller. This page also shows the FlexConnect ACLs created on the corresponding controller. To remove an ACL, hover your mouse over the blue drop-down arrow that is next to the corresponding ACL name and choose Remove. |
Step 2 |
Add a new ACL by clicking New. The page is displayed. |
Step 3 |
In the Access Control List Name field, enter a name for the new ACL. You can enter up to 32 alphanumeric characters. |
Step 4 |
Click Apply. |
Step 5 |
Click the name of the new ACL after the Access Control Lists page is displayed again. When the Access Control Lists > Edit page appears, hover over Add Rule, and select one of the two options:
|
Step 6 |
Configure an IP address based rule for a given FlexConnect ACL as follows: |
Step 7 |
Configure a URL domain-based rule for a given FlexConnect ACL: |
Step 8 |
Configure Local Web Authentication for FlexConnect:
|
Step 9 |
Configure Central Web Authentication for FlexConnect: |
Configuring FlexConnect Access Control Lists (CLI)
Use the following commands on the controller to configure FlexConnect ACLs:
Procedure
Use the following command on the Cisco Aironet 1830 Series and 1850 Series FlexConnect APs to view information that is related to FlexConnect ACLs:
Viewing and Debugging FlexConnect Access Control Lists (CLI)
Use the following commands on the controller to view information related to FlexConnect ACLs:
Procedure
Use the following commands on the Cisco Aironet 1830 Series and 1850 Series FlexConnect APs to view information related to FlexConnect ACLs:
Configuring CAPWAP Message Aggregation (CLI)
Deployments with large number of FlexConnect APs should have CAPWAP message aggregation enabled. In such deployments, if CAPWAP message aggregation is disabled, the ACL and AVC settings on APs are found missing. At the time when the AP settings are missing, messages similar to the following are displayed in the controller message log:
Capwap Retransmission Queue Full for AP 38:ed:18:cd:f0:60
With the debug capwap errors enable in effect, errors similar to the following might be observed:
*spamReceiveTask: Aug 22 22:21:09.342: [PA] 00:11:0a:04:60:4d Unable to get RadId. Sending of PMK cache entry to all APs in flexconnect group failed :: bssid 00:00:00:00:00:00
*spamApTask1: Aug 22 22:21:43.809: [PA] 38:ed:18:cd:f0:60 Queue already full*spamApTask1: Aug 22 22:21:43.809: [PA] 38:ed:18:cd:f0:60 Failed to send [XXX] payloadThis issue is observed especially in the following conditions:
-
FlexConnect ACLs and/or AVC in use
-
A large number of WLANs in use
Workaround is to enter the command described below.