×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Blank ACL required?

Unanswered Question
Oct 15th, 2007
User Badges:

Hi,


I have had a guest VLAN running for a few weeks and today after a scheduled reload of our systems we had a wireless problem.


Our configuration has clients authentication on the WLC web portal, and then have access to Internet only. This access is controlled with an ACL on the core switch.


The only change to the system that we know of is that the WLC was reloaded over the weekend, and then this morning users are unable to access the net, although they get an IP from DHCP.


After some troubleshooting I suspected an ACL, so I took out the ACL on the core switch, to no effect. So I looked at the WLC, and I found an unused ACL that I created a few weeks ago - I verified that both our WLANs have no ACL configued (in pre-auth and in override ACL) but I wasn't able to remove the ACL totally as the system says "Error! ACL is in use".


So I created an ACL on the WCL for open access, and applied it to the guest WLAN and users were then able to have access.


I suspect that somehow the WLC was applying this old ACL, even though the interface did not display this. This is going to be a bit of a tricky one to reproduce, but I'll try when I get some time and then I will report it to TAC.


Paul

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
paul@iosecure.com Wed, 10/24/2007 - 22:20
User Badges:

I've opened a TAC case, as after examination I've found that despite the fact that the ACL is not configured in the web administration tool, it IS configured on the CLI:


interface acl WLAN Student_Internet_Access_Only


Does anyone know the syntax to remove a configuration line in the CLI? It isn't "unset" or "no", and I can't seem to find much documentation on the CLI syntax.


Thanks!

Paul

Scott Fella Thu, 10/25/2007 - 04:34
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

Here you go: >config acl rule delete WLAN Student_Internet_Access_Only


http://www.cisco.com/en/US/docs/wireless/controller/4.0/configuration/guide/c40sol.html#wp1104798

paul@iosecure.com Fri, 10/26/2007 - 09:33
User Badges:

I believe this will only delete an individual rule in the ACL.


Even in the CLI I get the error message "Error! ACL is in use" which confirms the systems behavior, that the ACL is in fact in use.


It seems pretty clear, I have to take the ACL out of use before I can remove it - but unfortunately the web management tools report that there is no ACL configured for any interface.


The CLI disagrees:

interface acl WLAN Student_Internet_Access_Only


What I suspect is required, is a way to remove the above line - but there seems to be no syntax to do this.


(QCA-WLC1) >config interface ?

acl Configures an interface's Access Control List.

address Configures an interface's address information.

ap-manager Disables AP Manager features on a dynamic

interface.

create Adds a new dynamic interface.

delete Deletes a dynamic interface.

dhcp Configures DHCP options on an interface.

hostname Configures the virtual interface's virtual DNS

host name.

port Assign interface to physical port.

vlan Configures an interface's VLAN Identifier.

quarantine Configure quarantine vlan

(QCA-WLC1) >config interface acl ?

ap-manager Configures the AP Manager interface.

management Configures the management interface.

Enter interface name.

(QCA-WLC1) >config interface delete ?

Enter interface name.


Paul

Scott Fella Fri, 10/26/2007 - 10:06
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

ACL's can be configured on the interface or on the ssid.

paul@iosecure.com Fri, 10/26/2007 - 10:28
User Badges:

That would seem to be true.


(QCA-WLC1) >config wlan acl 2 ?

Enter the ACL Name ('none' will clear the ACL)


(QCA-WLC1) >config interface acl INTNAME ?

Enter the ACL Name up to 32 alphanumeric characters


But interesting the syntax for 'config wlan acl'. Maybe it would work on the interface, even though the inline help doesn't describe it.


I tried this:

config interface acl INTNAME none


But it throws an error saying the WLAN must be disabled first. I'll try this later today after everyone is offline.

paul@iosecure.com Fri, 11/02/2007 - 00:34
User Badges:

That seems to have done it. I'll do more tests on Monday but hopefully this is taken care of.


I did this:


config wlan disable 2

config interface acl none

config acl delete ACLNAME


I'm going to report this to the TAC as a bug in the inline documentation.

Scott Fella Fri, 11/02/2007 - 18:35
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

Well keep us posted!

paul@iosecure.com Mon, 11/05/2007 - 15:29
User Badges:

The problem is fixed. This did it!


Why the ACL was applied but not showing up in the web management tool is still a mystery, but at least there is a fix.

Actions

This Discussion

 

 

Trending Topics - Security & Network