Monday 19 November 2012

Cisco WLC cli ACL creation


Here is a simple example of creating ACL's  on a 5500 series wireless controller:

 Creating the ACL
config acl create Guest_Acl_10/8 

 Adding the rules

 config acl rule add Guest_Acl_10/8 1 
config acl rule destination port range Guest_Acl_10/8 1 53 53 
config acl rule destination address Guest_Acl_10/8 1 10.2.249.14 255.255.255.255 
config acl rule protocol Guest_Acl_10/8 1 17 
config acl rule action Guest_Acl_10/8 1 permit 
config acl rule direction Guest_Acl_10/8 1 in 
config acl rule add Guest_Acl_10/8 2 
config acl rule protocol Guest_Acl_10/8 2 17 
config acl rule action Guest_Acl_10/8 2 permit 
config acl rule direction Guest_Acl_10/8 2 out 
config acl rule source port range Guest_Acl_10/8 2 53 53 
config acl rule source address Guest_Acl_10/8 2 10.2.249.14 255.255.255.255 
config acl rule add Guest_Acl_10/8 3 
config acl rule destination port range Guest_Acl_10/8 3 53 53 
config acl rule destination address Guest_Acl_10/8 3 10.2.249.14 255.255.255.255 
config acl rule protocol Guest_Acl_10/8 3 6 
config acl rule action Guest_Acl_10/8 3 permit 
config acl rule direction Guest_Acl_10/8 3 in 
config acl rule add Guest_Acl_10/8 4 
config acl rule protocol Guest_Acl_10/8 4 6 
config acl rule action Guest_Acl_10/8 4 permit 
config acl rule direction Guest_Acl_10/8 4 out 
config acl rule source port range Guest_Acl_10/8 4 53 53 
config acl rule source address Guest_Acl_10/8 4 10.2.249.14 255.255.255.255 
config acl rule add Guest_Acl_10/8 5 
config acl rule destination address Guest_Acl_10/8 5 10.0.0.0 255.0.0.0 
config acl rule direction Guest_Acl_10/8 5 in 
config acl rule add Guest_Acl_10/8 6 
config acl rule direction Guest_Acl_10/8 6 out 
config acl rule source address Guest_Acl_10/8 6 10.0.0.0 255.0.0.0 
config acl rule add Guest_Acl_10/8 7 
config acl rule action Guest_Acl_10/8 7 permit 
config acl rule add Guest_Acl_10/8 65 
config acl apply Guest_Acl_10/8 




Apply  the ACL to the guest2 interface

config interface acl guest2 Guest_Acl_10/8 


 How it all looks


(Cisco Controller) >show acl detailed Guest_Acl_10/8  

                       Source                        Destination                Source Port  Dest Port
Index  Dir       IP Address/Netmask              IP Address/Netmask        Prot    Range       Range    DSCP  Action      Counter 
------ --- ------------------------------- ------------------------------- ---- ----------- ----------- ----- ------- -----------
     1  In         0.0.0.0/0.0.0.0             10.2.249.14/255.255.255.255   17     0-65535    53-53     Any Permit           0 
     2 Out     10.2.249.14/255.255.255.255         0.0.0.0/0.0.0.0           17    53-53        0-65535  Any Permit           0 
     3  In         0.0.0.0/0.0.0.0             10.2.249.14/255.255.255.255    6     0-65535    53-53     Any Permit           0 
     4 Out     10.2.249.14/255.255.255.255         0.0.0.0/0.0.0.0            6    53-53        0-65535  Any Permit           0 
     5  In         0.0.0.0/0.0.0.0                10.0.0.0/255.0.0.0        Any     0-65535     0-65535  Any   Deny           0 
     6 Out        10.0.0.0/255.0.0.0               0.0.0.0/0.0.0.0          Any     0-65535     0-65535  Any   Deny           0 
     7 Any         0.0.0.0/0.0.0.0                 0.0.0.0/0.0.0.0          Any     0-65535     0-65535  Any Permit           0 

 DenyCounter : 0 





Posted by at
Labels: , ,

1 comment:

  1. Anonymous1 May 2014 at 14:06

    Thanks for putting this out there. I'm noticing that it is poorly documented in the config guide if you want to punch the same acl into 50 controllers quickly... sounds like cli cut and paste is the way to go.

    ReplyDelete

Subscribe to: Post Comments (Atom)