Blank ACL required?

Unanswered Question


I have had a guest VLAN running for a few weeks and today after a scheduled reload of our systems we had a wireless problem.

Our configuration has clients authentication on the WLC web portal, and then have access to Internet only. This access is controlled with an ACL on the core switch.

The only change to the system that we know of is that the WLC was reloaded over the weekend, and then this morning users are unable to access the net, although they get an IP from DHCP.

After some troubleshooting I suspected an ACL, so I took out the ACL on the core switch, to no effect. So I looked at the WLC, and I found an unused ACL that I created a few weeks ago - I verified that both our WLANs have no ACL configued (in pre-auth and in override ACL) but I wasn't able to remove the ACL totally as the system says "Error! ACL is in use".

So I created an ACL on the WCL for open access, and applied it to the guest WLAN and users were then able to have access.

I suspect that somehow the WLC was applying this old ACL, even though the interface did not display this. This is going to be a bit of a tricky one to reproduce, but I'll try when I get some time and then I will report it to TAC.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)

I've opened a TAC case, as after examination I've found that despite the fact that the ACL is not configured in the web administration tool, it IS configured on the CLI:

interface acl WLAN Student_Internet_Access_Only

Does anyone know the syntax to remove a configuration line in the CLI? It isn't "unset" or "no", and I can't seem to find much documentation on the CLI syntax.



I believe this will only delete an individual rule in the ACL.

Even in the CLI I get the error message "Error! ACL is in use" which confirms the systems behavior, that the ACL is in fact in use.

It seems pretty clear, I have to take the ACL out of use before I can remove it - but unfortunately the web management tools report that there is no ACL configured for any interface.

The CLI disagrees:

interface acl WLAN Student_Internet_Access_Only

What I suspect is required, is a way to remove the above line - but there seems to be no syntax to do this.

(QCA-WLC1) >config interface ?

acl Configures an interface's Access Control List.

address Configures an interface's address information.

ap-manager Disables AP Manager features on a dynamic


create Adds a new dynamic interface.

delete Deletes a dynamic interface.

dhcp Configures DHCP options on an interface.

hostname Configures the virtual interface's virtual DNS

host name.

port Assign interface to physical port.

vlan Configures an interface's VLAN Identifier.

quarantine Configure quarantine vlan

(QCA-WLC1) >config interface acl ?

ap-manager Configures the AP Manager interface.

management Configures the management interface.

Enter interface name.

(QCA-WLC1) >config interface delete ?

Enter interface name.


That would seem to be true.

(QCA-WLC1) >config wlan acl 2 ?

Enter the ACL Name ('none' will clear the ACL)

(QCA-WLC1) >config interface acl INTNAME ?

Enter the ACL Name up to 32 alphanumeric characters

But interesting the syntax for 'config wlan acl'. Maybe it would work on the interface, even though the inline help doesn't describe it.

I tried this:

config interface acl INTNAME none

But it throws an error saying the WLAN must be disabled first. I'll try this later today after everyone is offline.


This Discussion



Trending Topics - Security & Network