通过CLI的ISE WLC ACL配置

我想写这篇文章,介绍如何通过使用模板访问列表将ACL复制并粘贴到无线控制器的命令行中来节省一些时间。在这篇小博文中,我将分享Blackhole,Employee,Guest和Web Redirect ACL的几个模板,任何人都可以在自己的环境中使用这些模板。 

 

对于员工ACL,您可以下载它 这里。 ACL将如下所示:

 

配置ACL计数器启动

 

!根据需要多次复制并增加突出显示的部分以添加其他访问权限

 

config acl rule add EMPLOYEE_ACL 1 

config acl rule destination port range EMPLOYEE_ACL 1 0 65535 

config acl rule destination address EMPLOYEE_ACL 1 <Internal-Subnet> <Internal-Mask>

config acl rule source port range EMPLOYEE_ACL 1 0 65535

 

拒绝某些子网的规则

 

config acl rule add EMPLOYEE_ACL 2 
config acl rule destination address EMPLOYEE_ACL 2 <Subnet> <Internal-Mask>
config acl rule action EMPLOYEE_ACL 2 permit 
config acl rule source port range EMPLOYEE_ACL 2 0 65535 
 

拒绝所有规则 

 
config acl rule add EMPLOYEE_ACL 3 
config acl rule destination port range EMPLOYEE_ACL 3 0 65535 
config acl rule source port range EMPLOYEE_ACL 3 0 65535 
config acl create EMPLOYEE_ACL 

 
config acl apply EMPLOYEE_ACL

 

对于来宾ACL,您可以下载它 这里。 ACL将如下所示:

配置ACL计数器启动 

 

!允许DNS的规则

 

config acl rule add GUEST_ACL 1

config acl rule destination port range GUEST_ACL 1 53 53

config acl rule action GUEST_ACL 1 permit

config acl rule source port range GUEST_ACL 1 0 65535

config acl rule direction GUEST_ACL 1 in

config acl rule protocol GUEST_ACL 1 17

 

!允许ISE重定向的规则

 

config acl rule add GUEST_ACL 2

config acl rule destination port range GUEST_ACL 2 8443 8443

config acl rule destination address GUEST_ACL 2 <Insert-ISE-IP>

config acl rule action GUEST_ACL 2 permit

config acl rule source port range GUEST_ACL 2 0 65535

config acl rule direction GUEST_ACL 2 in

config acl rule protocol GUEST_ACL 2 6

 

!规则允许内部HTTP服务器的流量(如果有)

 

config acl rule add GUEST_ACL 3

config acl rule destination port range GUEST_ACL 3 80 80

config acl rule destination address GUEST_ACL 3 <Internal-HTTP-Server-if-any>

config acl rule action GUEST_ACL 3 permit

config acl rule source port range GUEST_ACL 3 0 65535

config acl rule direction GUEST_ACL 3 in

config acl rule protocol GUEST_ACL 3 6

 

!规则允许内部HTTP服务器的流量流出(如果有)

 

config acl rule add GUEST_ACL 4

config acl rule destination port range GUEST_ACL 4 0 65535

config acl rule action GUEST_ACL 4 permit

config acl rule source port range GUEST_ACL 4 80 80

config acl rule source address GUEST_ACL 4 <Internal-HTTP-Server-if-any>

config acl rule direction GUEST_ACL 4 out

config acl rule protocol GUEST_ACL 4 6

 

禁止任何RFC1918地址的规则。如果您想添加更多规则,请复制并粘贴最后一条规则,并为每个规则将突出显示的部分加1,并在允许的情况下添加一行用于规则操作

 

config acl rule add GUEST_ACL 5

config acl rule destination port range GUEST_ACL 5 0 65535

config acl rule destination address GUEST_ACL 5 10.0.0.0 255.0.0.0

config acl rule source port range GUEST_ACL 5 0 65535

config acl rule direction GUEST_ACL 5 in


config acl rule add GUEST_ACL 6

config acl rule destination port range GUEST_ACL 6 0 65535

config acl rule destination address GUEST_ACL 6 172.16.0.0 255.240.0.0

config acl rule source port range GUEST_ACL 6 0 65535

config acl rule direction GUEST_ACL 6 in


config acl rule add GUEST_ACL 7

config acl rule destination port range GUEST_ACL 7 0 65535

config acl rule destination address GUEST_ACL 7 192.168.0.0 255.255.0.0

config acl rule source port range GUEST_ACL 7 0 65535

config acl rule direction GUEST_ACL 7 in

 

!最后的规则是允许其他所有内容。

 

config acl rule add GUEST_ACL 8

config acl rule destination port range GUEST_ACL 8 0 65535

config acl rule action GUEST_ACL 8 permit

config acl rule source port range GUEST_ACL 8 0 65535



config acl rule add GUEST_ACL 9

config acl rule destination port range GUEST_ACL 9 0 65535

config acl rule source port range GUEST_ACL 9 0 65535


config acl create GUEST_ACL

config acl apply GUEST_ACL

 

对于Web重定向ACL,您可以下载它 这里。 ACL会像这样:

配置ACL计数器启动

 

!允许(不重定向)DNS的规则& out

 

config acl rule add ACL_WEBAUTH_REDIRECT 1

config acl rule destination port range ACL_WEBAUTH_REDIRECT 1 0 65535

config acl rule action ACL_WEBAUTH_REDIRECT 1 permit

config acl rule source port range ACL_WEBAUTH_REDIRECT 1 53 53

config acl rule protocol ACL_WEBAUTH_REDIRECT 1 17


config acl rule add ACL_WEBAUTH_REDIRECT 2

config acl rule destination port range ACL_WEBAUTH_REDIRECT 2 53 53

config acl rule action ACL_WEBAUTH_REDIRECT 2 permit

config acl rule source port range ACL_WEBAUTH_REDIRECT 2 0 65535

config acl rule protocol ACL_WEBAUTH_REDIRECT 2 17

 

!允许(不重定向)DHCP输入的规则& out

 

config acl rule add ACL_WEBAUTH_REDIRECT 3

config acl rule destination port range ACL_WEBAUTH_REDIRECT 3 67 67

config acl rule action ACL_WEBAUTH_REDIRECT 3 permit

config acl rule source port range ACL_WEBAUTH_REDIRECT 3 68 68

config acl rule protocol ACL_WEBAUTH_REDIRECT 3 17


config acl rule add ACL_WEBAUTH_REDIRECT 4

config acl rule destination port range ACL_WEBAUTH_REDIRECT 4 68 68

config acl rule action ACL_WEBAUTH_REDIRECT 4 permit

config acl rule source port range ACL_WEBAUTH_REDIRECT 4 67 67

config acl rule protocol ACL_WEBAUTH_REDIRECT 4 17

!允许ISE直接端口的规则

 

config acl rule add ACL_WEBAUTH_REDIRECT 5

config acl rule destination port range ACL_WEBAUTH_REDIRECT 5 0 65535

config acl rule action ACL_WEBAUTH_REDIRECT 5 permit

config acl rule source port range ACL_WEBAUTH_REDIRECT 5 8905 8905

config acl rule source address ACL_WEBAUTH_REDIRECT 5 <Insert-ISE-IP> 255.255.255.255

config acl rule protocol ACL_WEBAUTH_REDIRECT 5 6


config acl rule add ACL_WEBAUTH_REDIRECT 6

config acl rule destination port range ACL_WEBAUTH_REDIRECT 6 8905 8905

config acl rule destination address ACL_WEBAUTH_REDIRECT 6 <Insert-ISE-IP> 255.255.255.255

config acl rule action ACL_WEBAUTH_REDIRECT 6 permit

config acl rule source port range ACL_WEBAUTH_REDIRECT 6 0 65535

config acl rule protocol ACL_WEBAUTH_REDIRECT 6 6


config acl rule add ACL_WEBAUTH_REDIRECT 7

config acl rule destination port range ACL_WEBAUTH_REDIRECT 7 0 65535

config acl rule action ACL_WEBAUTH_REDIRECT 7 permit

config acl rule source port range ACL_WEBAUTH_REDIRECT 7 8443 8443

config acl rule source address ACL_WEBAUTH_REDIRECT 7 <Insert-ISE-IP> 255.255.255.255

config acl rule protocol ACL_WEBAUTH_REDIRECT 7 6


config acl rule add ACL_WEBAUTH_REDIRECT 8

config acl rule destination port range ACL_WEBAUTH_REDIRECT 8 8443 8443

config acl rule destination address ACL_WEBAUTH_REDIRECT 8 <Insert-ISE-IP> 255.255.255.255

config acl rule action ACL_WEBAUTH_REDIRECT 8 permit

config acl rule source port range ACL_WEBAUTH_REDIRECT 8 0 65535

config acl rule protocol ACL_WEBAUTH_REDIRECT 8 6


config acl rule add ACL_WEBAUTH_REDIRECT 9

config acl rule destination port range ACL_WEBAUTH_REDIRECT 9 0 65535

config acl rule action ACL_WEBAUTH_REDIRECT 9 permit

config acl rule source port range ACL_WEBAUTH_REDIRECT 9 8905 8905

config acl rule source address ACL_WEBAUTH_REDIRECT 9 <Insert-ISE-IP> 255.255.255.255

config acl rule protocol ACL_WEBAUTH_REDIRECT 9 6


config acl rule add ACL_WEBAUTH_REDIRECT 10

config acl rule destination port range ACL_WEBAUTH_REDIRECT 10 8905 8905

config acl rule destination address ACL_WEBAUTH_REDIRECT 10 <Insert-ISE-IP> 255.255.255.255

config acl rule action ACL_WEBAUTH_REDIRECT 10 permit

config acl rule source port range ACL_WEBAUTH_REDIRECT 10 0 65535

config acl rule protocol ACL_WEBAUTH_REDIRECT 10 6


config acl rule add ACL_WEBAUTH_REDIRECT 11

config acl rule destination port range ACL_WEBAUTH_REDIRECT 11 0 65535

config acl rule action ACL_WEBAUTH_REDIRECT 11 permit

config acl rule source port range ACL_WEBAUTH_REDIRECT 11 8443 8443

config acl rule source address ACL_WEBAUTH_REDIRECT 11 <Insert-ISE-IP> 255.255.255.255

config acl rule protocol ACL_WEBAUTH_REDIRECT 11 6


config acl rule add ACL_WEBAUTH_REDIRECT 12

config acl rule destination port range ACL_WEBAUTH_REDIRECT 12 8443 8443

config acl rule destination address ACL_WEBAUTH_REDIRECT 10 <Insert-ISE-IP> 255.255.255.255

config acl rule action ACL_WEBAUTH_REDIRECT 12 permit

config acl rule source port range ACL_WEBAUTH_REDIRECT 12 0 65535

config acl rule protocol ACL_WEBAUTH_REDIRECT 12 6

 

最终拒绝规则将重定向其他所有内容。

 

config acl rule add ACL_WEBAUTH_REDIRECT 13

config acl rule destination port range ACL_WEBAUTH_REDIRECT 13 0 65535

config acl rule source port range ACL_WEBAUTH_REDIRECT 13 0 65535


config acl create ACL_WEBAUTH_REDIRECT

config acl apply ACL_WEBAUTH_REDIRECT

 

 

对于黑洞ACL,您可以下载它 这里。 ACL会像这样:

 

配置ACL计数器启动

 

!允许DNS

 

config acl rule add BLACKHOLE 1

config acl rule destination port range BLACKHOLE 1 0 65535

config acl rule action BLACKHOLE 1 permit

config acl rule source port range BLACKHOLE 1 53 53

config acl rule protocol BLACKHOLE 1 17


config acl rule add BLACKHOLE 2

config acl rule destination port range BLACKHOLE 2 53 53

config acl rule action BLACKHOLE 2 permit

config acl rule source port range BLACKHOLE 2 0 65535

config acl rule protocol BLACKHOLE 2 17

!允许DHCP

 

config acl rule add BLACKHOLE 3

config acl rule destination port range BLACKHOLE 3 67 67

config acl rule action BLACKHOLE 3 permit

config acl rule source port range BLACKHOLE 3 68 68

config acl rule protocol BLACKHOLE 3 6


config acl rule add BLACKHOLE 4

config acl rule destination port range BLACKHOLE 4 68 68

config acl rule action BLACKHOLE 4 permit

config acl rule source port range BLACKHOLE 4 67 67

config acl rule protocol BLACKHOLE 4 6

 

允许重定向到Blackhole门户

 

config acl rule add BLACKHOLE 5

config acl rule destination port range BLACKHOLE 5 8444 8444

config acl rule destination address BLACKHOLE 5 <ISE-IP-Address>

config acl rule action BLACKHOLE 5 permit

config acl rule source port range BLACKHOLE 5 0 65535

config acl rule direction BLACKHOLE 5 in

config acl rule protocol BLACKHOLE 5 6


config acl rule add BLACKHOLE 6

config acl rule destination port range BLACKHOLE 6 0 65535

config acl rule action BLACKHOLE 6 permit

config acl rule source port range BLACKHOLE 6 8444 8444

config acl rule source address BLACKHOLE 6 <ISE-IP-Address>

config acl rule direction BLACKHOLE 6 out

config acl rule protocol BLACKHOLE 6 6

 

config acl rule add BLACKHOLE 7

config acl rule destination port range BLACKHOLE 7 8444 8444

config acl rule destination address BLACKHOLE 7 <ISE-IP-Address>

config acl rule action BLACKHOLE 7 permit

config acl rule source port range BLACKHOLE 7 0 65535

config acl rule direction BLACKHOLE 7 in

config acl rule protocol BLACKHOLE 7 6


config acl rule add BLACKHOLE 8

config acl rule destination port range BLACKHOLE 8 0 65535

config acl rule action BLACKHOLE 8 permit

config acl rule source port range BLACKHOLE 8 8444 8444

config acl rule source address BLACKHOLE 8 <ISE-IP-Address>

config acl rule direction BLACKHOLE 8 out

config acl rule protocol BLACKHOLE 8 6

 

!封锁的最终规则

 

config acl rule add BLACKHOLE 9

config acl rule destination port range BLACKHOLE 9 0 65535

config acl rule source port range BLACKHOLE 9 0 65535


config acl create BLACKHOLE

config acl apply BLACKHOLE