FlexConnect Access Control Lists
An access control list (ACL) is a set of rules used to limit access to a particular interface (for example, if you want to restrict a wireless client from pinging the management interface of the controller). ACLs enable access control of network traffic. After ACLs are configured on the controller, you can apply them to the management interface, the AP-Manager interface, any of the dynamic interfaces, or a WLAN. ACLs enable you to control data traffic to and from wireless clients or to the controller CPU. You can configure ACLs on FlexConnect access points to enable effective usage and access control of locally switched data traffic on an access point.
The FlexConnect ACLs can be applied to VLAN interfaces on access points in both the Ingress and Egress mode.
Existing interfaces on an access point can be mapped to ACLs. The interfaces can be created by configuring a WLAN-VLAN mapping on a FlexConnect access point.
The FlexConnect ACLs can be applied to an access point’s VLAN only if VLAN support is enabled on the FlexConnect access point.
Related Information
-
To set up location authentication, see the FlexConnect chapter of the Enterprise Mobility Design Guide.
This section contains the following subsections:
Restrictions for FlexConnect Access Control Lists
-
FlexConnect ACLs can be applied only to FlexConnect access points. The configurations applied are per AP and per VLAN.
-
FlexConnect ACLs are supported on the native VLAN.
Note
FlexConnect ACLs are not supported on native VLAN when setting comes from FlexConnect Group.
-
You can configure up to 512 ACLs on a Cisco Wireless Controller. Each rule has parameters that affect its action. When a packet matches all the parameters pertaining to a rule, the action set pertaining to that rule is applied to the packet.
-
You can define 64 IPv4 address based rules in each ACL.
-
You can define up to 20 URL domain based rules (or filters).
-
-
Non-FlexConnect ACLs that are configured on the controller cannot be applied to a FlexConnect AP.
-
FlexConnect ACLs do not support direction per rule. Unlike normal ACLs, Flexconnect ACLs cannot be configured with a direction. An ACL as a whole needs to be applied to an interface as ingress or egress.
-
All ACLs have an implicit deny all rule as the last rule. If a packet does not match any of the rules, it is dropped by the corresponding access point.
-
ACLs mapping on the VLANs that are created on an AP using WLAN-VLAN mapping, should be performed on a per-AP basis only. VLANs can be created on a FlexConnect group for AAA override. These VLANs will not have any mapping for a WLAN.
-
ACLs for VLANs that are created on a FlexConnect group should be mapped only on the FlexConnect group. If the same VLAN is present on the corresponding AP as well as the FlexConnect group, AP VLAN will take priority. This means that if no ACL is mapped on the AP, the VLAN will not have any ACL, even if the ACL is mapped to the VLAN on the FlexConnect group.
-
Ensure the FlexConnect ACL and the regular ACL names are not the same while configuring a WLAN for FlexConnect local switching.
-
AAA client ACL support:
-
Before the AAA sends the client ACL, ensure that the ACL is created on a FlexConnect group or an AP. The ACL is not downloaded to the AP dynamically when the client gets associated with the AP.
-
A maximum of 96 ACLs can be configured on an AP. Each ACL can have a maximum of 64 rules.
-
FlexConnect ACLs do not have directions. The entire ACL is applied as ingress or egress.
-
The ACL returned by the AAA is applied on both ingress and egress on the 802.11 side of the client.
-
-
Cisco Wave 2 and 802.11ax APs: When FlexConnect ACLs are applied to both wired and 802.11 interfaces, the client traffic honors only the ACL that is mapped to the 802.11 interface and not the ACL that is mapped to the wired interface.
Note |
A Local Switching WLAN is configured and ACL is mapped to a FlexConnect group with an ACL. The ACL has set of deny and permit rules. When you associate a client to the WLAN, the client needs to have DHCP permit rule added for getting the IP address. |
Configuring FlexConnect Access Control Lists (GUI)
Procedure
Step 1 |
Choose .The FlexConnect ACL page is displayed. This page lists all the FlexConnect ACLs configured on the controller. This page also shows the FlexConnect ACLs created on the corresponding controller. To remove an ACL, hover your mouse over the blue drop-down arrow that is next to the corresponding ACL name and choose Remove. |
Step 2 |
Add a new ACL by clicking New. The page is displayed. |
Step 3 |
In the Access Control List Name field, enter a name for the new ACL. You can enter up to 32 alphanumeric characters. |
Step 4 |
Click Apply. |
Step 5 |
Click the name of the new ACL after the Access Control Lists page is displayed again. When the Access Control Lists > Edit page appears, hover over Add Rule, and select one of the two options:
|
Step 6 |
Configure an IP address based rule for a given FlexConnect ACL as follows: |
Step 7 |
Configure a URL domain-based rule for a given FlexConnect ACL: |
Step 8 |
Configure Local Web Authentication for FlexConnect:
|
Step 9 |
Configure Central Web Authentication for FlexConnect: |
Configuring FlexConnect Access Control Lists (CLI)
Use the following commands on the controller to configure FlexConnect ACLs:
Procedure
Viewing and Debugging FlexConnect Access Control Lists (CLI)
Use the following commands on the controller to view information related to FlexConnect ACLs:
Procedure
-
show flexconnect acl summary —Displays a summary of the ACLs.
-
show client detail mac-address —Displays AAA override ACL.
-
show flexconnect acl detailed acl-name —Displays the detailed information about the ACL.
-
debug flexconnect acl {enable | disable} —Enables or disables the debugging of FlexConnect ACL.
-
debug capwap reap —Enables debugging of CAPWAP.