Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
838
Views
0
Helpful
3
Replies

Cisco ISE and WLC Access-List Design/Scalability

Go to solution
CSCO10675262_2
Level 1
Level 1

‎10-06-2014 12:56 AM - edited ‎03-10-2019 10:05 PM

Hi,

I have a scenario whereby wireless clients are authenticated by the ISE and different ACLs are applied to it based on the rules on ISE. The problem I seems to be seeing is due to the limitation on the Cisco WLC which limit only 64 access-list entries. As the setup has only a few SVI/interfaces and multiple different access-lists are applied to the same interface base on the user groups; I was wondering if there may be a scalable design/approach whereby the access-list entries may scale beside creating a vlan for each user group and applying the access-list on the layer 3 interface instead? I have illustrated the setup below for reference:

 

User group 1 -- Apply ACL 1 --On Vlan 1 

User group 2 -- Apply ACL 2 -- On Vlan 1

User group 3 -- Apply ACL 3 -- On Vlan 1

 

The problem is only seen for wireless users, it is not seen on wired users as the ACLs may be applied successfully without any limitation to the switches.

Any suggestion is appreciated.

 

Thanks.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
nspasov
Cisco Employee
Cisco Employee

‎10-06-2014 01:54 PM

Actually, you have limitations on the switch side as well. Lengthy ACLs can deplete the switch's TCAM resources. Take a look at this link:

http://www.cisco.com/c/en/us/support/docs/switches/catalyst-3750-series-switches/68461-high-cpu-utilization-cat3750.html

The new WLCs that are based on IOS XE and not the old Wireless/Aironet OS will provide the a better experience when it comes to such issues. 

Overall, I see three ways to overcome your current issue:

1. Shrink the ACLs by making them less specific

2. Utilize the L3 interfaces on a L3 switch or FW and apply ACLs there

3. Use SGT/SGA

Hope this helps!

 

Thank you for rating helpful posts!

View solution in original post

0 Helpful
3 Replies 3

Go to solution
nspasov
Cisco Employee
Cisco Employee

‎10-06-2014 01:54 PM

Actually, you have limitations on the switch side as well. Lengthy ACLs can deplete the switch's TCAM resources. Take a look at this link:

http://www.cisco.com/c/en/us/support/docs/switches/catalyst-3750-series-switches/68461-high-cpu-utilization-cat3750.html

The new WLCs that are based on IOS XE and not the old Wireless/Aironet OS will provide the a better experience when it comes to such issues. 

Overall, I see three ways to overcome your current issue:

1. Shrink the ACLs by making them less specific

2. Utilize the L3 interfaces on a L3 switch or FW and apply ACLs there

3. Use SGT/SGA

Hope this helps!

 

Thank you for rating helpful posts!

0 Helpful

Go to solution
CSCO10675262_2
Level 1
Level 1
In response to nspasov

‎10-26-2014 07:22 PM

Hi,

Apologies for the late reply and appreciate for the information. We have decided to make use of the L3 interface with minimum ACLs remaining on the wlc via the ise (guest acls/shared user-groups acls).

 

Thanks

0 Helpful

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to CSCO10675262_2

‎10-26-2014 10:12 PM

No worries! Glad I could help! :)

0 Helpful
Customers Also Viewed These Support Documents