WLC ACL via CLI Short Info Page and Lab Template

Access Control Lists are used in many ways. One example is to allow the Wireless DMZ (aka Guest Network) to communicate only to the Gateway/L3 boundary). I would always suggest to define what you are attempting to do in pseudo code before you start hitting the keyboard. This short blog isn’t about why to use an ACL, but rather some of the nuts and bolts of how to modify it via CLI. 99% probably will use the GUI on the WLC.
So why go through the CLI?
  • Change Control Plans look cleaner with CLI snippets.
  • Operationalize low level ACL changes
  • Multiple Controller Deployments or Changes

 I thought I would create a page to help people lab up the ACL. If you have corrections or comments, please let me know.

Please Note: This is from 8.5.140.0 Code on a 3504 WLC. Your Results May Vary.

MODIFYING ALC IN WLC

Delete ALC and recreate it

  • Command: config acl delete [ACL_NAME]

Adding a new rule

  • Command: config acl rule add [ACL_NAME] [INDEX_NUMBER]
  • Logic: Inserts new rule with the index of [INDEX_NUMBER]. Any rule below the [INDEX_NUMBER] variable is decremented by 1.
  • Example: Insert new rule with index of 2. Any previous rule of >= 2 is decremented by 1. So rule index 2 becomes rule index 3.

Re-index acl rules by changing index of existing rules

  • Command: config acl rule change index [ACL_NAME] [OLD_INDEX] [NEW_INDEX]
  • Logic: Changes rule’s index to [NEW_INDEX]. If the [NEW_INDEX] is > the [OLD_INDEX] then the other rule’s indexes will be incremented. If the [NEW_INDEX] is < than the [OLD_INDEX] then the other rule's indexes will be decremented.
  • Example: For example if you change rule 1 to rule 3 then rule 2 becomes 1. Or if you change rule 3 to 1 then rule 2 becomes rule 3 and rule 1 becomes 2. My suggestion is to take a before and after screen capture and compare them to make sure the order is what you expected.

Deleting a rule

  • Command: config acl rule delete [ACL_NAME] [INDEX_NUMBER]
  • Logic: Deletes rule with index of [INDEX_NUMBER]. All other rules indexes are modified to close the gap.
  • Example: Deleting rule index of 1. Rule 2 becomes 1. Rule 3 becomes 2.
TEST SCRIPT FOR LAB WLC
config acl delete ACL_TEST
config acl create ACL_TEST
config acl rule add ACL_TEST 1
config acl rule source port range ACL_TEST 1 16384 32767
config acl rule source address ACL_TEST 1 192.168.0.0 255.255.255.0
config acl rule protocol ACL_TEST 1 17
config acl rule dscp ACL_TEST 1 46
config acl rule destination port range ACL_TEST 1 16384 32767
config acl rule destination address ACL_TEST 1 192.168.100.0 255.255.255.0
config acl rule action ACL_TEST 1 permit
config acl rule add ACL_TEST 2
config acl rule source port range ACL_TEST 2 16384 32767
config acl rule source address ACL_TEST 2 192.168.0.10 255.255.255.255
config acl rule protocol ACL_TEST 2 17
config acl rule dscp ACL_TEST 2 46
config acl rule destination port range ACL_TEST 2 16384 32767
config acl rule destination address ACL_TEST 2 192.168.100.0 255.255.255.0
config acl rule action ACL_TEST 2 deny
config acl rule add ACL_TEST 3
config acl rule source port range ACL_TEST 3 16384 32767
config acl rule source address ACL_TEST 3 192.168.0.00 255.255.255.0
config acl rule protocol ACL_TEST 3 17
config acl rule dscp ACL_TEST 3 46
config acl rule destination port range ACL_TEST 3 16384 32767
config acl rule destination address ACL_TEST 3 192.168.200.0 255.255.255.0
config acl rule action ACL_TEST 3 permit
config acl counter start
config acl apply ACL_TEST
!Make changes. View Changes in GUI. Delete ALC when complete. Or by issuing command: config acl delete

ADDING A NEW RULE TO EXISTING ALC IN WLC

Command: config acl rule add [ACL_NAME] [INDEX_NUMBER]

Enter subcommands such as:

config acl rule destination address [ACL_NAME] [INDEX_NUMBER] [DEST_IP] [DEST_MASK]

config acl rule source address [ACL_NAME] [INDEX_NUMBER] [SRC_IP] [SRC_MASK]

config acl rule source port range [ACL_NAME] [INDEX_NUMBER] [START_PORT] [END_PORT]

config acl rule destination port range [ACL_NAME] [INDEX_NUMBER] [START_PORT] [END_PORT]

config acl rule protocol [ACL_NAME] [INDEX_NUMBER] [PROTOCOL_NUMBER/ANY]

config acl rule direction [ACL_NAME] [INDEX_NUMBER] [DIRECTION_IN/OUT/ANY]

config acl rule dscp [ACL_NAME] [INDEX_NUMBER] [DSCP_NUMBER]

config acl rule action [ACL_NAME] [INDEX_NUMBER] [PERMIT/DENY]

Apply ACL:
Command: config acl apply [ACL_NAME]

LAB TIME:

As you can see, I do not have an ACL in my lab WLC by running the “show acl summary” command.

Screen Shot 2019-03-26 at 9.09.11 AM

Once I run my lab script, the ACL will show up.

Screen Shot 2019-03-26 at 9.11.03 AM

You can drill down to see the individual rules in the ACL by running the “show all detailed command.

Screen Shot 2019-03-26 at 9.16.36 AM

It also shows up in the GUI of the WLC.

Screen Shot 2019-03-26 at 9.19.03 AM

You can add/delete/re-index rules or add/delete the ACL altogether. Keep in mind you still need to apply the ACL either onto the Interface or by overriding the Interface ACL and applying it onto the WLAN directly.

Screen Shot 2019-03-26 at 9.22.15 AM

Ok..Thats it. Go forth and have fun with ACL in your lab!!!


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s