Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
602
Views
5
Helpful
4
Replies

Applying ACL on WLC for admin logon and AP's only

usman_safdar
Level 1
Level 1

‎11-01-2022 10:05 PM

Hi,

       I intend to apply ACL on WLC to achieve following

 

- Only admin should be able to logon into WLC from his IP

- Only AP's should be able to join WLC from their specific IP pool 10.202.x.x/24 (no other IP pool should be allowed from where AP can join WLC).

- Existing traffic flow shouldn't get disturbed. This may include end users internet/usual lan access, snmp monitoring etc.

Any help shall be highly appreciated.

 

Regards

Labels:
0 Helpful
4 Replies 4

balaji.bandi
Hall of Fame
Hall of Fame

‎11-01-2022 10:52 PM

- Only admin should be able to logon into WLC from his IP  - This you may configured WLC GUI, I also prefer to have ACL where WLC Layer 3 interface connected.

- Only AP's should be able to join WLC from their specific IP pool 10.202.x.x/24 (no other IP pool should be allowed from where AP can join WLC).  - Same as Above ACL on the Interface, or  add only Option 43 for that pool, Make sure AP connected port belongs to the same VLAN in the access port.

- Existing traffic flow shouldn't get disturbed. This may include end users' internet/usual can access, SNMP monitoring etc.  - You can also use ACL, but suggest having FW in the network is always a good option (ACL hard to manage).

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Arshad Safrulla
VIP Alumni
VIP Alumni

‎11-02-2022 10:30 AM

What is the WLC model you have?

Do you have a dedicated management (service) port configured?

Do you have an upstream firewall?

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla
0 Helpful

usman_safdar
Level 1
Level 1
In response to Arshad Safrulla

‎11-03-2022 01:17 AM

2504

not dedicated (its a trunk port used for 2 more vlans as well)

yes we have for a particular vlan (rest of the vlans are not routed vlans, being used for internet only)

0 Helpful

Arshad Safrulla
VIP Alumni
VIP Alumni
In response to usman_safdar

‎11-03-2022 04:14 AM

You need to use CPU ACL. 

Cisco WLC CPU ACL — WIRES AND WI.FI

Cisco Wireless Controller Configuration Guide, Release 8.5 - Access Control Lists [Cisco Wireless LAN Controller Software] - Cisco

Make sure that you read the nuances before configuring, otherwise you may end up locking the WLC.

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card