I wanted to write this post on how to save a little time by using template access lists to copy and paste your ACLs into the command line of the wireless controller. In this small blog post, I'll share a couple templates for Blackhole, Employee, Guest and Web Redirect ACLs which anyone could use for their own environment.
For the Employee ACL, you can download it here. The ACL will look like this:
config acl counter start
!Copy this as many times as you want to and increment the highlighted part to add additional access
config acl rule add EMPLOYEE_ACL 1 config acl rule destination port range EMPLOYEE_ACL 1 0 65535 config acl rule destination address EMPLOYEE_ACL 1 <Internal-Subnet> <Internal-Mask> config acl rule source port range EMPLOYEE_ACL 1 0 65535
!Deny rule for certain subnets
config acl rule add EMPLOYEE_ACL 2
config acl rule destination address EMPLOYEE_ACL 2 <Subnet> <Internal-Mask>
config acl rule action EMPLOYEE_ACL 2 permit
config acl rule source port range EMPLOYEE_ACL 2 0 65535
!Deny All Rule
config acl rule add EMPLOYEE_ACL 3
config acl rule destination port range EMPLOYEE_ACL 3 0 65535
config acl rule source port range EMPLOYEE_ACL 3 0 65535
config acl create EMPLOYEE_ACL
config acl apply EMPLOYEE_ACL
For the Guest ACL, you can download it here. The ACL will look like this:
config acl counter start
!Rule to allow DNS
config acl rule add GUEST_ACL 1 config acl rule destination port range GUEST_ACL 1 53 53 config acl rule action GUEST_ACL 1 permit config acl rule source port range GUEST_ACL 1 0 65535 config acl rule direction GUEST_ACL 1 in config acl rule protocol GUEST_ACL 1 17
!Rule to allow ISE Redirect
config acl rule add GUEST_ACL 2 config acl rule destination port range GUEST_ACL 2 8443 8443 config acl rule destination address GUEST_ACL 2 <Insert-ISE-IP> config acl rule action GUEST_ACL 2 permit config acl rule source port range GUEST_ACL 2 0 65535 config acl rule direction GUEST_ACL 2 in config acl rule protocol GUEST_ACL 2 6
!Rule to allow traffic in for internal HTTP servers (if any)
config acl rule add GUEST_ACL 3 config acl rule destination port range GUEST_ACL 3 80 80 config acl rule destination address GUEST_ACL 3 <Internal-HTTP-Server-if-any> config acl rule action GUEST_ACL 3 permit config acl rule source port range GUEST_ACL 3 0 65535 config acl rule direction GUEST_ACL 3 in config acl rule protocol GUEST_ACL 3 6
!Rule to allow traffic out for internal HTTP servers (if any)
config acl rule add GUEST_ACL 4 config acl rule destination port range GUEST_ACL 4 0 65535 config acl rule action GUEST_ACL 4 permit config acl rule source port range GUEST_ACL 4 80 80 config acl rule source address GUEST_ACL 4 <Internal-HTTP-Server-if-any> config acl rule direction GUEST_ACL 4 out config acl rule protocol GUEST_ACL 4 6
!Rules to block any RFC1918 addresses. If you would like to add more rules, copy and paste the last rule and increment the highlighted portion by 1 for each rule and add a line for rule action if you would like to permit
config acl rule add GUEST_ACL 5 config acl rule destination port range GUEST_ACL 5 0 65535 config acl rule destination address GUEST_ACL 5 10.0.0.0 255.0.0.0 config acl rule source port range GUEST_ACL 5 0 65535 config acl rule direction GUEST_ACL 5 in config acl rule add GUEST_ACL 6 config acl rule destination port range GUEST_ACL 6 0 65535 config acl rule destination address GUEST_ACL 6 172.16.0.0 255.240.0.0 config acl rule source port range GUEST_ACL 6 0 65535 config acl rule direction GUEST_ACL 6 in config acl rule add GUEST_ACL 7 config acl rule destination port range GUEST_ACL 7 0 65535 config acl rule destination address GUEST_ACL 7 192.168.0.0 255.255.0.0 config acl rule source port range GUEST_ACL 7 0 65535 config acl rule direction GUEST_ACL 7 in
!Last rules are to allow everything else.
config acl rule add GUEST_ACL 8 config acl rule destination port range GUEST_ACL 8 0 65535 config acl rule action GUEST_ACL 8 permit config acl rule source port range GUEST_ACL 8 0 65535 config acl rule add GUEST_ACL 9 config acl rule destination port range GUEST_ACL 9 0 65535 config acl rule source port range GUEST_ACL 9 0 65535 config acl create GUEST_ACL config acl apply GUEST_ACL
FOR THE WEB REDIRECT ACL, YOU CAN DOWNLOAD IT HERE. THE ACL WILL LOOK LIKE THIS:
config acl counter start
!Rules to permit (not redirect) DNS in & out
config acl rule add ACL_WEBAUTH_REDIRECT 1 config acl rule destination port range ACL_WEBAUTH_REDIRECT 1 0 65535 config acl rule action ACL_WEBAUTH_REDIRECT 1 permit config acl rule source port range ACL_WEBAUTH_REDIRECT 1 53 53 config acl rule protocol ACL_WEBAUTH_REDIRECT 1 17 config acl rule add ACL_WEBAUTH_REDIRECT 2 config acl rule destination port range ACL_WEBAUTH_REDIRECT 2 53 53 config acl rule action ACL_WEBAUTH_REDIRECT 2 permit config acl rule source port range ACL_WEBAUTH_REDIRECT 2 0 65535 config acl rule protocol ACL_WEBAUTH_REDIRECT 2 17
!Rules to permit (not redirect) DHCP in & out
config acl rule add ACL_WEBAUTH_REDIRECT 3 config acl rule destination port range ACL_WEBAUTH_REDIRECT 3 67 67 config acl rule action ACL_WEBAUTH_REDIRECT 3 permit config acl rule source port range ACL_WEBAUTH_REDIRECT 3 68 68 config acl rule protocol ACL_WEBAUTH_REDIRECT 3 17 config acl rule add ACL_WEBAUTH_REDIRECT 4 config acl rule destination port range ACL_WEBAUTH_REDIRECT 4 68 68 config acl rule action ACL_WEBAUTH_REDIRECT 4 permit config acl rule source port range ACL_WEBAUTH_REDIRECT 4 67 67 config acl rule protocol ACL_WEBAUTH_REDIRECT 4 17
!Rules to allow ISE direct ports
config acl rule add ACL_WEBAUTH_REDIRECT 5 config acl rule destination port range ACL_WEBAUTH_REDIRECT 5 0 65535 config acl rule action ACL_WEBAUTH_REDIRECT 5 permit config acl rule source port range ACL_WEBAUTH_REDIRECT 5 8905 8905 config acl rule source address ACL_WEBAUTH_REDIRECT 5 <Insert-ISE-IP> 255.255.255.255 config acl rule protocol ACL_WEBAUTH_REDIRECT 5 6 config acl rule add ACL_WEBAUTH_REDIRECT 6 config acl rule destination port range ACL_WEBAUTH_REDIRECT 6 8905 8905 config acl rule destination address ACL_WEBAUTH_REDIRECT 6 <Insert-ISE-IP> 255.255.255.255 config acl rule action ACL_WEBAUTH_REDIRECT 6 permit config acl rule source port range ACL_WEBAUTH_REDIRECT 6 0 65535 config acl rule protocol ACL_WEBAUTH_REDIRECT 6 6 config acl rule add ACL_WEBAUTH_REDIRECT 7 config acl rule destination port range ACL_WEBAUTH_REDIRECT 7 0 65535 config acl rule action ACL_WEBAUTH_REDIRECT 7 permit config acl rule source port range ACL_WEBAUTH_REDIRECT 7 8443 8443 config acl rule source address ACL_WEBAUTH_REDIRECT 7 <Insert-ISE-IP> 255.255.255.255 config acl rule protocol ACL_WEBAUTH_REDIRECT 7 6 config acl rule add ACL_WEBAUTH_REDIRECT 8 config acl rule destination port range ACL_WEBAUTH_REDIRECT 8 8443 8443 config acl rule destination address ACL_WEBAUTH_REDIRECT 8 <Insert-ISE-IP> 255.255.255.255 config acl rule action ACL_WEBAUTH_REDIRECT 8 permit config acl rule source port range ACL_WEBAUTH_REDIRECT 8 0 65535 config acl rule protocol ACL_WEBAUTH_REDIRECT 8 6 config acl rule add ACL_WEBAUTH_REDIRECT 9 config acl rule destination port range ACL_WEBAUTH_REDIRECT 9 0 65535 config acl rule action ACL_WEBAUTH_REDIRECT 9 permit config acl rule source port range ACL_WEBAUTH_REDIRECT 9 8905 8905 config acl rule source address ACL_WEBAUTH_REDIRECT 9 <Insert-ISE-IP> 255.255.255.255 config acl rule protocol ACL_WEBAUTH_REDIRECT 9 6 config acl rule add ACL_WEBAUTH_REDIRECT 10 config acl rule destination port range ACL_WEBAUTH_REDIRECT 10 8905 8905 config acl rule destination address ACL_WEBAUTH_REDIRECT 10 <Insert-ISE-IP> 255.255.255.255 config acl rule action ACL_WEBAUTH_REDIRECT 10 permit config acl rule source port range ACL_WEBAUTH_REDIRECT 10 0 65535 config acl rule protocol ACL_WEBAUTH_REDIRECT 10 6 config acl rule add ACL_WEBAUTH_REDIRECT 11 config acl rule destination port range ACL_WEBAUTH_REDIRECT 11 0 65535 config acl rule action ACL_WEBAUTH_REDIRECT 11 permit config acl rule source port range ACL_WEBAUTH_REDIRECT 11 8443 8443 config acl rule source address ACL_WEBAUTH_REDIRECT 11 <Insert-ISE-IP> 255.255.255.255 config acl rule protocol ACL_WEBAUTH_REDIRECT 11 6 config acl rule add ACL_WEBAUTH_REDIRECT 12 config acl rule destination port range ACL_WEBAUTH_REDIRECT 12 8443 8443 config acl rule destination address ACL_WEBAUTH_REDIRECT 10 <Insert-ISE-IP> 255.255.255.255 config acl rule action ACL_WEBAUTH_REDIRECT 12 permit config acl rule source port range ACL_WEBAUTH_REDIRECT 12 0 65535 config acl rule protocol ACL_WEBAUTH_REDIRECT 12 6
!Final deny rule that redirects everything else.
config acl rule add ACL_WEBAUTH_REDIRECT 13 config acl rule destination port range ACL_WEBAUTH_REDIRECT 13 0 65535 config acl rule source port range ACL_WEBAUTH_REDIRECT 13 0 65535 config acl create ACL_WEBAUTH_REDIRECT config acl apply ACL_WEBAUTH_REDIRECT
FOR THE BLACKHOLE ACL, YOU CAN DOWNLOAD IT HERE. THE ACL WILL LOOK LIKE THIS:
config acl counter start
! Allow DNS
config acl rule add BLACKHOLE 1 config acl rule destination port range BLACKHOLE 1 0 65535 config acl rule action BLACKHOLE 1 permit config acl rule source port range BLACKHOLE 1 53 53 config acl rule protocol BLACKHOLE 1 17 config acl rule add BLACKHOLE 2 config acl rule destination port range BLACKHOLE 2 53 53 config acl rule action BLACKHOLE 2 permit config acl rule source port range BLACKHOLE 2 0 65535 config acl rule protocol BLACKHOLE 2 17
!Allow DHCP
config acl rule add BLACKHOLE 3 config acl rule destination port range BLACKHOLE 3 67 67 config acl rule action BLACKHOLE 3 permit config acl rule source port range BLACKHOLE 3 68 68 config acl rule protocol BLACKHOLE 3 6 config acl rule add BLACKHOLE 4 config acl rule destination port range BLACKHOLE 4 68 68 config acl rule action BLACKHOLE 4 permit config acl rule source port range BLACKHOLE 4 67 67 config acl rule protocol BLACKHOLE 4 6
!Allow redirect to Blackhole portal
config acl rule add BLACKHOLE 5 config acl rule destination port range BLACKHOLE 5 8444 8444 config acl rule destination address BLACKHOLE 5 <ISE-IP-Address> config acl rule action BLACKHOLE 5 permit config acl rule source port range BLACKHOLE 5 0 65535 config acl rule direction BLACKHOLE 5 in config acl rule protocol BLACKHOLE 5 6 config acl rule add BLACKHOLE 6 config acl rule destination port range BLACKHOLE 6 0 65535 config acl rule action BLACKHOLE 6 permit config acl rule source port range BLACKHOLE 6 8444 8444 config acl rule source address BLACKHOLE 6 <ISE-IP-Address> config acl rule direction BLACKHOLE 6 out config acl rule protocol BLACKHOLE 6 6
config acl rule add BLACKHOLE 7 config acl rule destination port range BLACKHOLE 7 8444 8444 config acl rule destination address BLACKHOLE 7 <ISE-IP-Address> config acl rule action BLACKHOLE 7 permit config acl rule source port range BLACKHOLE 7 0 65535 config acl rule direction BLACKHOLE 7 in config acl rule protocol BLACKHOLE 7 6 config acl rule add BLACKHOLE 8 config acl rule destination port range BLACKHOLE 8 0 65535 config acl rule action BLACKHOLE 8 permit config acl rule source port range BLACKHOLE 8 8444 8444 config acl rule source address BLACKHOLE 8 <ISE-IP-Address> config acl rule direction BLACKHOLE 8 out config acl rule protocol BLACKHOLE 8 6
! Final rule that blocks
config acl rule add BLACKHOLE 9 config acl rule destination port range BLACKHOLE 9 0 65535 config acl rule source port range BLACKHOLE 9 0 65535 config acl create BLACKHOLE config acl apply BLACKHOLE