Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Cisco ISE and WLC Access-List Design/Scalability

Hi,

I have a scenario whereby wireless clients are authenticated by the ISE and different ACLs are applied to it based on the rules on ISE. The problem I seems to be seeing is due to the limitation on the Cisco WLC which limit only 64 access-list entries. As the setup has only a few SVI/interfaces and multiple different access-lists are applied to the same interface base on the user groups; I was wondering if there may be a scalable design/approach whereby the access-list entries may scale beside creating a vlan for each user group and applying the access-list on the layer 3 interface instead? I have illustrated the setup below for reference:

 

User group 1 -- Apply ACL 1 --On Vlan 1 

User group 2 -- Apply ACL 2 -- On Vlan 1

User group 3 -- Apply ACL 3 -- On Vlan 1

 

The problem is only seen for wireless users, it is not seen on wired users as the ACLs may be applied successfully without any limitation to the switches.

Any suggestion is appreciated.

 

Thanks.

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Actually, you have

Actually, you have limitations on the switch side as well. Lengthy ACLs can deplete the switch's TCAM resources. Take a look at this link:

http://www.cisco.com/c/en/us/support/docs/switches/catalyst-3750-series-switches/68461-high-cpu-utilization-cat3750.html

The new WLCs that are based on IOS XE and not the old Wireless/Aironet OS will provide the a better experience when it comes to such issues. 

Overall, I see three ways to overcome your current issue:

1. Shrink the ACLs by making them less specific

2. Utilize the L3 interfaces on a L3 switch or FW and apply ACLs there

3. Use SGT/SGA

Hope this helps!

 

Thank you for rating helpful posts!

3 REPLIES
Cisco Employee

Actually, you have

Actually, you have limitations on the switch side as well. Lengthy ACLs can deplete the switch's TCAM resources. Take a look at this link:

http://www.cisco.com/c/en/us/support/docs/switches/catalyst-3750-series-switches/68461-high-cpu-utilization-cat3750.html

The new WLCs that are based on IOS XE and not the old Wireless/Aironet OS will provide the a better experience when it comes to such issues. 

Overall, I see three ways to overcome your current issue:

1. Shrink the ACLs by making them less specific

2. Utilize the L3 interfaces on a L3 switch or FW and apply ACLs there

3. Use SGT/SGA

Hope this helps!

 

Thank you for rating helpful posts!

New Member

Hi,Apologies for the late

Hi,

Apologies for the late reply and appreciate for the information. We have decided to make use of the L3 interface with minimum ACLs remaining on the wlc via the ise (guest acls/shared user-groups acls).

 

Thanks

Cisco Employee

No worries! Glad I could help

No worries! Glad I could help! :)

271
Views
0
Helpful
3
Replies
CreatePlease to create content