- Change Control Plans look cleaner with CLI snippets.
- Operationalize low level ACL changes
- Multiple Controller Deployments or Changes
I thought I would create a page to help people lab up the ACL. If you have corrections or comments, please let me know.
Please Note: This is from 8.5.140.0 Code on a 3504 WLC. Your Results May Vary.
MODIFYING ALC IN WLC
Delete ALC and recreate it
- Command: config acl delete [ACL_NAME]
Adding a new rule
- Command: config acl rule add [ACL_NAME] [INDEX_NUMBER]
- Logic: Inserts new rule with the index of [INDEX_NUMBER]. Any rule below the [INDEX_NUMBER] variable is decremented by 1.
- Example: Insert new rule with index of 2. Any previous rule of >= 2 is decremented by 1. So rule index 2 becomes rule index 3.
Re-index acl rules by changing index of existing rules
- Command: config acl rule change index [ACL_NAME] [OLD_INDEX] [NEW_INDEX]
- Logic: Changes rule’s index to [NEW_INDEX]. If the [NEW_INDEX] is > the [OLD_INDEX] then the other rule’s indexes will be incremented. If the [NEW_INDEX] is < than the [OLD_INDEX] then the other rule's indexes will be decremented.
- Example: For example if you change rule 1 to rule 3 then rule 2 becomes 1. Or if you change rule 3 to 1 then rule 2 becomes rule 3 and rule 1 becomes 2. My suggestion is to take a before and after screen capture and compare them to make sure the order is what you expected.
Deleting a rule
- Command: config acl rule delete [ACL_NAME] [INDEX_NUMBER]
- Logic: Deletes rule with index of [INDEX_NUMBER]. All other rules indexes are modified to close the gap.
- Example: Deleting rule index of 1. Rule 2 becomes 1. Rule 3 becomes 2.
TEST SCRIPT FOR LAB WLCconfig acl delete ACL_TESTconfig acl create ACL_TESTconfig acl rule add ACL_TEST 1config acl rule source port range ACL_TEST 1 16384 32767config acl rule source address ACL_TEST 1 192.168.0.0 255.255.255.0config acl rule protocol ACL_TEST 1 17config acl rule dscp ACL_TEST 1 46config acl rule destination port range ACL_TEST 1 16384 32767config acl rule destination address ACL_TEST 1 192.168.100.0 255.255.255.0config acl rule action ACL_TEST 1 permitconfig acl rule add ACL_TEST 2config acl rule source port range ACL_TEST 2 16384 32767config acl rule source address ACL_TEST 2 192.168.0.10 255.255.255.255config acl rule protocol ACL_TEST 2 17config acl rule dscp ACL_TEST 2 46config acl rule destination port range ACL_TEST 2 16384 32767config acl rule destination address ACL_TEST 2 192.168.100.0 255.255.255.0config acl rule action ACL_TEST 2 denyconfig acl rule add ACL_TEST 3config acl rule source port range ACL_TEST 3 16384 32767config acl rule source address ACL_TEST 3 192.168.0.00 255.255.255.0config acl rule protocol ACL_TEST 3 17config acl rule dscp ACL_TEST 3 46config acl rule destination port range ACL_TEST 3 16384 32767config acl rule destination address ACL_TEST 3 192.168.200.0 255.255.255.0config acl rule action ACL_TEST 3 permitconfig acl counter startconfig acl apply ACL_TEST!Make changes. View Changes in GUI. Delete ALC when complete. Or by issuing command: config acl delete
ADDING A NEW RULE TO EXISTING ALC IN WLC
Command: config acl rule add [ACL_NAME] [INDEX_NUMBER]
Enter subcommands such as:
config acl rule destination address [ACL_NAME] [INDEX_NUMBER] [DEST_IP] [DEST_MASK]
config acl rule source address [ACL_NAME] [INDEX_NUMBER] [SRC_IP] [SRC_MASK]
config acl rule source port range [ACL_NAME] [INDEX_NUMBER] [START_PORT] [END_PORT]
config acl rule destination port range [ACL_NAME] [INDEX_NUMBER] [START_PORT] [END_PORT]
config acl rule protocol [ACL_NAME] [INDEX_NUMBER] [PROTOCOL_NUMBER/ANY]
config acl rule direction [ACL_NAME] [INDEX_NUMBER] [DIRECTION_IN/OUT/ANY]
config acl rule dscp [ACL_NAME] [INDEX_NUMBER] [DSCP_NUMBER]
config acl rule action [ACL_NAME] [INDEX_NUMBER] [PERMIT/DENY]
Apply ACL:
Command: config acl apply [ACL_NAME]
LAB TIME:
