https://community.cisco.com/t5/wireless/applying-acl-on-wlc-for-admin-logon-and-ap-s-only/m-p/4714570#M247783 <P>Hi,</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; I intend to apply ACL on WLC to achieve following</P><P>&nbsp;</P><P>- Only admin should be able to logon into WLC from his IP</P><P>- Only AP's should be able to join WLC from their specific IP pool 10.202.x.x/24 (no other IP pool should be allowed from where AP can join WLC).</P><P>- Existing traffic flow shouldn't get disturbed. This may include end users internet/usual lan access, snmp monitoring etc.</P><P>Any help shall be highly appreciated.</P><P>&nbsp;</P><P>Regards</P> Wed, 02 Nov 2022 05:05:45 GMT usman_safdar 2022-11-02T05:05:45Z https://community.cisco.com/t5/wireless/applying-acl-on-wlc-for-admin-logon-and-ap-s-only/m-p/4714570#M247783 <P>Hi,</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; I intend to apply ACL on WLC to achieve following</P><P>&nbsp;</P><P>- Only admin should be able to logon into WLC from his IP</P><P>- Only AP's should be able to join WLC from their specific IP pool 10.202.x.x/24 (no other IP pool should be allowed from where AP can join WLC).</P><P>- Existing traffic flow shouldn't get disturbed. This may include end users internet/usual lan access, snmp monitoring etc.</P><P>Any help shall be highly appreciated.</P><P>&nbsp;</P><P>Regards</P> Wed, 02 Nov 2022 05:05:45 GMT https://community.cisco.com/t5/wireless/applying-acl-on-wlc-for-admin-logon-and-ap-s-only/m-p/4714570#M247783 usman_safdar 2022-11-02T05:05:45Z https://community.cisco.com/t5/wireless/applying-acl-on-wlc-for-admin-logon-and-ap-s-only/m-p/4714574#M247784 <P>- Only admin should be able to logon into WLC from his IP&nbsp; - This you may configured WLC GUI, I also prefer to have ACL where WLC Layer 3 interface connected.</P> <P>- Only AP's should be able to join WLC from their specific IP pool 10.202.x.x/24 (no other IP pool should be allowed from where AP can join WLC).&nbsp; - Same as Above ACL on the Interface, or&nbsp; add only Option 43 for that pool, Make sure AP connected port belongs to the same VLAN in the access port.</P> <P>- Existing traffic flow shouldn't get disturbed. This may include end users' internet/usual can access, SNMP monitoring etc.&nbsp; - You can also use ACL, but suggest having FW in the network is always a good option (ACL hard to manage).</P> Wed, 02 Nov 2022 05:52:52 GMT https://community.cisco.com/t5/wireless/applying-acl-on-wlc-for-admin-logon-and-ap-s-only/m-p/4714574#M247784 balaji.bandi 2022-11-02T05:52:52Z https://community.cisco.com/t5/wireless/applying-acl-on-wlc-for-admin-logon-and-ap-s-only/m-p/4715050#M247820 <P>What is the WLC model you have?</P> <P>Do you have a dedicated management (service) port configured?</P> <P>Do you have an upstream firewall?</P> Wed, 02 Nov 2022 17:30:12 GMT https://community.cisco.com/t5/wireless/applying-acl-on-wlc-for-admin-logon-and-ap-s-only/m-p/4715050#M247820 Arshad Safrulla 2022-11-02T17:30:12Z https://community.cisco.com/t5/wireless/applying-acl-on-wlc-for-admin-logon-and-ap-s-only/m-p/4715394#M247839 <P>2504</P><P>not dedicated (its a trunk port used for 2 more vlans as well)</P><P>yes we have for a particular vlan (rest of the vlans are not routed vlans, being used for internet only)</P> Thu, 03 Nov 2022 08:17:43 GMT https://community.cisco.com/t5/wireless/applying-acl-on-wlc-for-admin-logon-and-ap-s-only/m-p/4715394#M247839 usman_safdar 2022-11-03T08:17:43Z https://community.cisco.com/t5/wireless/applying-acl-on-wlc-for-admin-logon-and-ap-s-only/m-p/4715586#M247845 <P>You need to use CPU ACL.&nbsp;</P> <P><A href="https://www.wiresandwi.fi/blog/wlc-cpu-acl" target="_blank">Cisco WLC CPU ACL — WIRES AND WI.FI</A></P> <P><A href="https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-5/config-guide/b_cg85/access_control_lists.html" target="_blank">Cisco Wireless Controller Configuration Guide, Release 8.5 - Access Control Lists [Cisco Wireless LAN Controller Software] - Cisco</A></P> <P>Make sure that you read the nuances before configuring, otherwise you may end up locking the WLC.</P> Thu, 03 Nov 2022 11:14:48 GMT https://community.cisco.com/t5/wireless/applying-acl-on-wlc-for-admin-logon-and-ap-s-only/m-p/4715586#M247845 Arshad Safrulla 2022-11-03T11:14:48Z