Cisco WLC ACL using CLI

Configuring access-lists on the Cisco Wireless Controller could be tough with line by line and a lot of clicks. Using CLI the idea is the same, but Notepad++ is very helpful in editing. The one rule consist of the following settings:

  • rule number
  • direction
  • source address
  • destination address
  • protocol
  • source port
  • destination port
  • action

permit ip any any (outbound) – allow all traffic from the WLC to the client
permit udp any any eq domain (inbound) – allow DNS from the client to any
permit udp any eq dhcp client any eq dhcp server (inbound) – allow DHCP from the client to any
permit tcp any host 10.10.10.10 eq 8443 (inbound) – allow HTTPS from the client to the server
deny ip any any (inbound)

Here is an example of the WLC ACL configuration using CLI:

config acl create ACL-NAME
!
config acl rule add ACL-NAME 1
config acl rule direction ACL-NAME 1 out
config acl rule source port range ACL-NAME 1 0 65535
config acl rule destination port range ACL-NAME 1 0 65535
config acl rule action ACL-NAME 1 permit
!
config acl rule add ACL-NAME 2
config acl rule direction ACL-NAME 2 in
config acl rule protocol ACL-NAME 2 17
config acl rule source port range ACL-NAME 2 0 65535
config acl rule destination port range ACL-NAME 2 53 53
config acl rule action ACL-NAME 2 permit
!
config acl rule add ACL-NAME 3
config acl rule direction ACL-NAME 3 in
config acl rule protocol ACL-NAME 3 17
config acl rule source port range ACL-NAME 3 68 68
config acl rule destination port range ACL-NAME 3 67 67
config acl rule action ACL-NAME 3 permit
!
config acl rule add ACL-NAME 4
config acl rule direction ACL-NAME 4 in
config acl rule destination address ACL-NAME 4 10.10.10.10 255.255.255.255
config acl rule protocol ACL-NAME 4 6
config acl rule source port range ACL-NAME 4 0 65535
config acl rule destination port range ACL-NAME 4 8443 8443
config acl rule action ACL-NAME 4 permit
!
config acl rule add ACL-NAME 5
config acl rule direction ACL-NAME 5 in
config acl rule source port range ACL-NAME 5 0 65535
config acl rule destination port range ACL-NAME 5 0 65535
config acl rule action ACL-NAME 5 deny
!
config acl apply ACL-NAME

This ACL in GUI:

You can verify the config by using the “show acl detailed <acl-name>” command:

Share

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *