https://community.cisco.com/t5/wireless/restrict-ssh-to-wlc-from-untrusted-subnets/m-p/3690312#M5696 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/326193">@Scott Fella</a> does it mean there's no way to apply management ACL on the WLC? That's a bit of disappointment. We also have a requirement to restrict management access to WLCs in the trusted network (such as only DC/jump boxes) can manage it. Applying this ACL to management SVI on a switch is not really an option because apart from WLCs we have tens of other devices in management VLAN and some have different requirements. This will also make ACL IP-address specific, while if applied to WLC it can be based around standard sets of source IP address (jump box) with ANY as destination - hence unified across all WLCs.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>I can't believe Cisco hasn't created management ACLs...&nbsp; we've just finished applying this to our routers and switches securing both SSH and HTTPS, but of course... you can't do this on WLCs <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Fri, 17 Aug 2018 10:03:09 GMT Tymofii Dmytrenko 2018-08-17T10:03:09Z https://community.cisco.com/t5/wireless/restrict-ssh-to-wlc-from-untrusted-subnets/m-p/3010351#M5693 <P>We are trying to be more prudent on what subnets have access to our WLC for PCI compliance.&nbsp; We have created a deny ACL&nbsp; on the management ACL of the wireless controller but I can still ssh from a subnet we have denied access to. What gives?&nbsp;&nbsp; We obviously do not want to block CAPWAP traffic to and from the access points and controllers but we do no want to have unrestricted management access from all the remote subnets.</P> Mon, 05 Jul 2021 13:22:58 GMT https://community.cisco.com/t5/wireless/restrict-ssh-to-wlc-from-untrusted-subnets/m-p/3010351#M5693 DAVID 2021-07-05T13:22:58Z https://community.cisco.com/t5/wireless/restrict-ssh-to-wlc-from-untrusted-subnets/m-p/3010352#M5694 <P>Why not just create an acl on the layer 3 svi and not on the WLC.&nbsp;</P> <P>-Scott&nbsp;</P> <P>*** Please rate helpful posts ***&nbsp;</P> Tue, 17 Jan 2017 16:12:13 GMT https://community.cisco.com/t5/wireless/restrict-ssh-to-wlc-from-untrusted-subnets/m-p/3010352#M5694 Scott Fella 2017-01-17T16:12:13Z https://community.cisco.com/t5/wireless/restrict-ssh-to-wlc-from-untrusted-subnets/m-p/3010353#M5695 <P>that would be an option if I had it.&nbsp; I'm trying to appease management who insists that the ACL is not correct.&nbsp; Here is a brief background.&nbsp; I have two 5520's in HA.&nbsp; The active node is what is accessible to the AP's and general management. While the deny tcp any any has been created on the management ACL I can still SSH to the backup node but not the active node.&nbsp; Trying to understand as to why?&nbsp; I do realize that only one node will be active at a time and any ACL obliviously only deals with the active node.&nbsp; Just making sure that I am not missing something.</P> Tue, 17 Jan 2017 16:46:39 GMT https://community.cisco.com/t5/wireless/restrict-ssh-to-wlc-from-untrusted-subnets/m-p/3010353#M5695 DAVID 2017-01-17T16:46:39Z https://community.cisco.com/t5/wireless/restrict-ssh-to-wlc-from-untrusted-subnets/m-p/3690312#M5696 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/326193">@Scott Fella</a> does it mean there's no way to apply management ACL on the WLC? That's a bit of disappointment. We also have a requirement to restrict management access to WLCs in the trusted network (such as only DC/jump boxes) can manage it. Applying this ACL to management SVI on a switch is not really an option because apart from WLCs we have tens of other devices in management VLAN and some have different requirements. This will also make ACL IP-address specific, while if applied to WLC it can be based around standard sets of source IP address (jump box) with ANY as destination - hence unified across all WLCs.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>I can't believe Cisco hasn't created management ACLs...&nbsp; we've just finished applying this to our routers and switches securing both SSH and HTTPS, but of course... you can't do this on WLCs <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Fri, 17 Aug 2018 10:03:09 GMT https://community.cisco.com/t5/wireless/restrict-ssh-to-wlc-from-untrusted-subnets/m-p/3690312#M5696 Tymofii Dmytrenko 2018-08-17T10:03:09Z https://community.cisco.com/t5/wireless/restrict-ssh-to-wlc-from-untrusted-subnets/m-p/3690324#M5697 <P>You can create a CPU ACL to restrict access to management. We just rather restrict it from the L3 as it’s easier to apply from a few devices than all.&nbsp;</P> Fri, 17 Aug 2018 10:55:32 GMT https://community.cisco.com/t5/wireless/restrict-ssh-to-wlc-from-untrusted-subnets/m-p/3690324#M5697 Scott Fella 2018-08-17T10:55:32Z https://community.cisco.com/t5/wireless/restrict-ssh-to-wlc-from-untrusted-subnets/m-p/3690367#M5698 <P>Yeah... I am looking at CPU ACLs now.</P> <P>&nbsp;</P> <P>Applied basic ACL with one DENY (specific) and ONE PERMIT ALL statement. It does look like it does the job, but I am not sure if anything else can be broken potentially.</P> <P>&nbsp;</P> <P>Also tried a reverse rule - PERMIT from 2 subnets from where management traffic is expected and DENIED everything else - still ok. Apparently in 8.x code this ACL does not affect service protocols, such as CAPWAP and Mobility (all my APs are still up, clients can still connect and consume wireless services).</P> <P>&nbsp;</P> <P>I will leave it for couple days before signing off....&nbsp; Thanks !</P> Fri, 17 Aug 2018 12:33:59 GMT https://community.cisco.com/t5/wireless/restrict-ssh-to-wlc-from-untrusted-subnets/m-p/3690367#M5698 Tymofii Dmytrenko 2018-08-17T12:33:59Z https://community.cisco.com/t5/wireless/restrict-ssh-to-wlc-from-untrusted-subnets/m-p/3690368#M5699 <P>Oh... it affects RADIUS communication <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span> and TACACS+</P> <P>&nbsp;</P> <P>So, ACL must include service subnets too... or protocols. Crap.</P> <P>That's not what we wanted as it can become way too complicated.</P> Fri, 17 Aug 2018 12:43:00 GMT https://community.cisco.com/t5/wireless/restrict-ssh-to-wlc-from-untrusted-subnets/m-p/3690368#M5699 Tymofii Dmytrenko 2018-08-17T12:43:00Z https://community.cisco.com/t5/wireless/restrict-ssh-to-wlc-from-untrusted-subnets/m-p/3690398#M5700 It’s trocky because you have to understand if you use any, inbounds or outboud. I have just used source subnet permit like https and ssh inbound then deny any any inbound for https and ssh inbound then permit any any. <BR /><BR />So you might want to try to permit what you want first using inbound then deny the same protocols then have a permit any any in the end. Fri, 17 Aug 2018 13:28:08 GMT https://community.cisco.com/t5/wireless/restrict-ssh-to-wlc-from-untrusted-subnets/m-p/3690398#M5700 Scott Fella 2018-08-17T13:28:08Z https://community.cisco.com/t5/wireless/restrict-ssh-to-wlc-from-untrusted-subnets/m-p/3690462#M5701 <P>Thanks Scott</P> <P>&nbsp;</P> <P>Yeah, it's tricky, indeed</P> <P>&nbsp;</P> <P>Just tried what you've suggested and it works</P> <P>&nbsp;</P> <P>So I permit HTTPS/SSH by source (two rules per source), then DENY HTTPS/SSH from ANY and permit other protocols ANY ANY.</P> <P>&nbsp;</P> <P>I believe CPU ACL ignores the direction, rules needs to be as if you apply TOWARDS CPU (seen it somewhere).</P> <P>&nbsp;</P> <P>It works</P> Fri, 17 Aug 2018 14:55:00 GMT https://community.cisco.com/t5/wireless/restrict-ssh-to-wlc-from-untrusted-subnets/m-p/3690462#M5701 Tymofii Dmytrenko 2018-08-17T14:55:00Z