ISE WLC ACL Configs Through the CLI

I wanted to write this post on how to save a little time by using template access lists to copy and paste your ACLs into the command line of the wireless controller. In this small blog post, I'll share a couple templates for Blackhole, Employee, Guest and Web Redirect ACLs which anyone could use for their own environment. 

 

For the Employee ACL, you can download it here. The ACL will look like this:

 

config acl counter start

 

!Copy this as many times as you want to and increment the highlighted part to add additional access

 

config acl rule add EMPLOYEE_ACL 1 

config acl rule destination port range EMPLOYEE_ACL 1 0 65535 

config acl rule destination address EMPLOYEE_ACL 1 <Internal-Subnet> <Internal-Mask>

config acl rule source port range EMPLOYEE_ACL 1 0 65535 

 

!Deny rule for certain subnets

 

config acl rule add EMPLOYEE_ACL 2 
config acl rule destination address EMPLOYEE_ACL 2 <Subnet> <Internal-Mask>
config acl rule action EMPLOYEE_ACL 2 permit 
config acl rule source port range EMPLOYEE_ACL 2 0 65535 
 

!Deny All Rule 

 
config acl rule add EMPLOYEE_ACL 3 
config acl rule destination port range EMPLOYEE_ACL 3 0 65535 
config acl rule source port range EMPLOYEE_ACL 3 0 65535 
config acl create EMPLOYEE_ACL 
 
config acl apply EMPLOYEE_ACL 

 

For the Guest ACL, you can download it here. The ACL will look like this:

config acl counter start 
 

!Rule to allow DNS

 

config acl rule add GUEST_ACL 1

config acl rule destination port range GUEST_ACL 1 53 53

config acl rule action GUEST_ACL 1 permit

config acl rule source port range GUEST_ACL 1 0 65535

config acl rule direction GUEST_ACL 1 in

config acl rule protocol GUEST_ACL 1 17

 

!Rule to allow ISE Redirect

 

config acl rule add GUEST_ACL 2

config acl rule destination port range GUEST_ACL 2 8443 8443

config acl rule destination address GUEST_ACL 2 <Insert-ISE-IP>

config acl rule action GUEST_ACL 2 permit

config acl rule source port range GUEST_ACL 2 0 65535

config acl rule direction GUEST_ACL 2 in

config acl rule protocol GUEST_ACL 2 6

 

!Rule to allow traffic in for internal HTTP servers (if any)

 

config acl rule add GUEST_ACL 3

config acl rule destination port range GUEST_ACL 3 80 80

config acl rule destination address GUEST_ACL 3 <Internal-HTTP-Server-if-any>

config acl rule action GUEST_ACL 3 permit

config acl rule source port range GUEST_ACL 3 0 65535

config acl rule direction GUEST_ACL 3 in

config acl rule protocol GUEST_ACL 3 6

 

!Rule to allow traffic out for internal HTTP servers (if any)

 

config acl rule add GUEST_ACL 4

config acl rule destination port range GUEST_ACL 4 0 65535

config acl rule action GUEST_ACL 4 permit

config acl rule source port range GUEST_ACL 4 80 80

config acl rule source address GUEST_ACL 4 <Internal-HTTP-Server-if-any>

config acl rule direction GUEST_ACL 4 out

config acl rule protocol GUEST_ACL 4 6

 

!Rules to block any RFC1918 addresses. If you would like to add more rules, copy and paste the last rule and increment the highlighted portion by 1 for each rule and add a line for rule action if you would like to permit

 

config acl rule add GUEST_ACL 5

config acl rule destination port range GUEST_ACL 5 0 65535

config acl rule destination address GUEST_ACL 5 10.0.0.0 255.0.0.0

config acl rule source port range GUEST_ACL 5 0 65535

config acl rule direction GUEST_ACL 5 in


config acl rule add GUEST_ACL 6

config acl rule destination port range GUEST_ACL 6 0 65535

config acl rule destination address GUEST_ACL 6 172.16.0.0 255.240.0.0

config acl rule source port range GUEST_ACL 6 0 65535

config acl rule direction GUEST_ACL 6 in


config acl rule add GUEST_ACL 7

config acl rule destination port range GUEST_ACL 7 0 65535

config acl rule destination address GUEST_ACL 7 192.168.0.0 255.255.0.0

config acl rule source port range GUEST_ACL 7 0 65535

config acl rule direction GUEST_ACL 7 in

 

!Last rules are to allow everything else.

 

config acl rule add GUEST_ACL 8

config acl rule destination port range GUEST_ACL 8 0 65535

config acl rule action GUEST_ACL 8 permit

config acl rule source port range GUEST_ACL 8 0 65535



config acl rule add GUEST_ACL 9

config acl rule destination port range GUEST_ACL 9 0 65535

config acl rule source port range GUEST_ACL 9 0 65535


config acl create GUEST_ACL

config acl apply GUEST_ACL

 

FOR THE WEB REDIRECT ACL, YOU CAN DOWNLOAD IT HERE. THE ACL WILL LOOK LIKE THIS:

config acl counter start

 

!Rules to permit (not redirect) DNS in & out

 

config acl rule add ACL_WEBAUTH_REDIRECT 1

config acl rule destination port range ACL_WEBAUTH_REDIRECT 1 0 65535

config acl rule action ACL_WEBAUTH_REDIRECT 1 permit

config acl rule source port range ACL_WEBAUTH_REDIRECT 1 53 53

config acl rule protocol ACL_WEBAUTH_REDIRECT 1 17


config acl rule add ACL_WEBAUTH_REDIRECT 2

config acl rule destination port range ACL_WEBAUTH_REDIRECT 2 53 53

config acl rule action ACL_WEBAUTH_REDIRECT 2 permit

config acl rule source port range ACL_WEBAUTH_REDIRECT 2 0 65535

config acl rule protocol ACL_WEBAUTH_REDIRECT 2 17

 

!Rules to permit (not redirect) DHCP in & out

 

config acl rule add ACL_WEBAUTH_REDIRECT 3

config acl rule destination port range ACL_WEBAUTH_REDIRECT 3 67 67

config acl rule action ACL_WEBAUTH_REDIRECT 3 permit

config acl rule source port range ACL_WEBAUTH_REDIRECT 3 68 68

config acl rule protocol ACL_WEBAUTH_REDIRECT 3 17


config acl rule add ACL_WEBAUTH_REDIRECT 4

config acl rule destination port range ACL_WEBAUTH_REDIRECT 4 68 68

config acl rule action ACL_WEBAUTH_REDIRECT 4 permit

config acl rule source port range ACL_WEBAUTH_REDIRECT 4 67 67

config acl rule protocol ACL_WEBAUTH_REDIRECT 4 17

!Rules to allow ISE direct ports

 

config acl rule add ACL_WEBAUTH_REDIRECT 5

config acl rule destination port range ACL_WEBAUTH_REDIRECT 5 0 65535

config acl rule action ACL_WEBAUTH_REDIRECT 5 permit

config acl rule source port range ACL_WEBAUTH_REDIRECT 5 8905 8905

config acl rule source address ACL_WEBAUTH_REDIRECT 5 <Insert-ISE-IP> 255.255.255.255

config acl rule protocol ACL_WEBAUTH_REDIRECT 5 6


config acl rule add ACL_WEBAUTH_REDIRECT 6

config acl rule destination port range ACL_WEBAUTH_REDIRECT 6 8905 8905

config acl rule destination address ACL_WEBAUTH_REDIRECT 6 <Insert-ISE-IP> 255.255.255.255

config acl rule action ACL_WEBAUTH_REDIRECT 6 permit

config acl rule source port range ACL_WEBAUTH_REDIRECT 6 0 65535

config acl rule protocol ACL_WEBAUTH_REDIRECT 6 6


config acl rule add ACL_WEBAUTH_REDIRECT 7

config acl rule destination port range ACL_WEBAUTH_REDIRECT 7 0 65535

config acl rule action ACL_WEBAUTH_REDIRECT 7 permit

config acl rule source port range ACL_WEBAUTH_REDIRECT 7 8443 8443

config acl rule source address ACL_WEBAUTH_REDIRECT 7 <Insert-ISE-IP> 255.255.255.255

config acl rule protocol ACL_WEBAUTH_REDIRECT 7 6


config acl rule add ACL_WEBAUTH_REDIRECT 8

config acl rule destination port range ACL_WEBAUTH_REDIRECT 8 8443 8443

config acl rule destination address ACL_WEBAUTH_REDIRECT 8 <Insert-ISE-IP> 255.255.255.255

config acl rule action ACL_WEBAUTH_REDIRECT 8 permit

config acl rule source port range ACL_WEBAUTH_REDIRECT 8 0 65535

config acl rule protocol ACL_WEBAUTH_REDIRECT 8 6


config acl rule add ACL_WEBAUTH_REDIRECT 9

config acl rule destination port range ACL_WEBAUTH_REDIRECT 9 0 65535

config acl rule action ACL_WEBAUTH_REDIRECT 9 permit

config acl rule source port range ACL_WEBAUTH_REDIRECT 9 8905 8905

config acl rule source address ACL_WEBAUTH_REDIRECT 9 <Insert-ISE-IP> 255.255.255.255

config acl rule protocol ACL_WEBAUTH_REDIRECT 9 6


config acl rule add ACL_WEBAUTH_REDIRECT 10

config acl rule destination port range ACL_WEBAUTH_REDIRECT 10 8905 8905

config acl rule destination address ACL_WEBAUTH_REDIRECT 10 <Insert-ISE-IP> 255.255.255.255

config acl rule action ACL_WEBAUTH_REDIRECT 10 permit

config acl rule source port range ACL_WEBAUTH_REDIRECT 10 0 65535

config acl rule protocol ACL_WEBAUTH_REDIRECT 10 6


config acl rule add ACL_WEBAUTH_REDIRECT 11

config acl rule destination port range ACL_WEBAUTH_REDIRECT 11 0 65535

config acl rule action ACL_WEBAUTH_REDIRECT 11 permit

config acl rule source port range ACL_WEBAUTH_REDIRECT 11 8443 8443

config acl rule source address ACL_WEBAUTH_REDIRECT 11 <Insert-ISE-IP> 255.255.255.255

config acl rule protocol ACL_WEBAUTH_REDIRECT 11 6


config acl rule add ACL_WEBAUTH_REDIRECT 12

config acl rule destination port range ACL_WEBAUTH_REDIRECT 12 8443 8443

config acl rule destination address ACL_WEBAUTH_REDIRECT 10 <Insert-ISE-IP> 255.255.255.255

config acl rule action ACL_WEBAUTH_REDIRECT 12 permit

config acl rule source port range ACL_WEBAUTH_REDIRECT 12 0 65535

config acl rule protocol ACL_WEBAUTH_REDIRECT 12 6

 

!Final deny rule that redirects everything else.

 

config acl rule add ACL_WEBAUTH_REDIRECT 13

config acl rule destination port range ACL_WEBAUTH_REDIRECT 13 0 65535

config acl rule source port range ACL_WEBAUTH_REDIRECT 13 0 65535


config acl create ACL_WEBAUTH_REDIRECT

config acl apply ACL_WEBAUTH_REDIRECT

 

 

FOR THE BLACKHOLE ACL, YOU CAN DOWNLOAD IT HERE. THE ACL WILL LOOK LIKE THIS:

 

config acl counter start

 

! Allow DNS

 

config acl rule add BLACKHOLE 1

config acl rule destination port range BLACKHOLE 1 0 65535

config acl rule action BLACKHOLE 1 permit

config acl rule source port range BLACKHOLE 1 53 53

config acl rule protocol BLACKHOLE 1 17


config acl rule add BLACKHOLE 2

config acl rule destination port range BLACKHOLE 2 53 53

config acl rule action BLACKHOLE 2 permit

config acl rule source port range BLACKHOLE 2 0 65535

config acl rule protocol BLACKHOLE 2 17

!Allow DHCP

 

config acl rule add BLACKHOLE 3

config acl rule destination port range BLACKHOLE 3 67 67

config acl rule action BLACKHOLE 3 permit

config acl rule source port range BLACKHOLE 3 68 68

config acl rule protocol BLACKHOLE 3 6


config acl rule add BLACKHOLE 4

config acl rule destination port range BLACKHOLE 4 68 68

config acl rule action BLACKHOLE 4 permit

config acl rule source port range BLACKHOLE 4 67 67

config acl rule protocol BLACKHOLE 4 6

 

!Allow redirect to Blackhole portal

 

config acl rule add BLACKHOLE 5

config acl rule destination port range BLACKHOLE 5 8444 8444

config acl rule destination address BLACKHOLE 5 <ISE-IP-Address>

config acl rule action BLACKHOLE 5 permit

config acl rule source port range BLACKHOLE 5 0 65535

config acl rule direction BLACKHOLE 5 in

config acl rule protocol BLACKHOLE 5 6


config acl rule add BLACKHOLE 6

config acl rule destination port range BLACKHOLE 6 0 65535

config acl rule action BLACKHOLE 6 permit

config acl rule source port range BLACKHOLE 6 8444 8444

config acl rule source address BLACKHOLE 6 <ISE-IP-Address>

config acl rule direction BLACKHOLE 6 out

config acl rule protocol BLACKHOLE 6 6

 

config acl rule add BLACKHOLE 7

config acl rule destination port range BLACKHOLE 7 8444 8444

config acl rule destination address BLACKHOLE 7 <ISE-IP-Address>

config acl rule action BLACKHOLE 7 permit

config acl rule source port range BLACKHOLE 7 0 65535

config acl rule direction BLACKHOLE 7 in

config acl rule protocol BLACKHOLE 7 6


config acl rule add BLACKHOLE 8

config acl rule destination port range BLACKHOLE 8 0 65535

config acl rule action BLACKHOLE 8 permit

config acl rule source port range BLACKHOLE 8 8444 8444

config acl rule source address BLACKHOLE 8 <ISE-IP-Address>

config acl rule direction BLACKHOLE 8 out

config acl rule protocol BLACKHOLE 8 6

 

! Final rule that blocks

 

config acl rule add BLACKHOLE 9

config acl rule destination port range BLACKHOLE 9 0 65535

config acl rule source port range BLACKHOLE 9 0 65535


config acl create BLACKHOLE

config acl apply BLACKHOLE