05-02-2022 08:06 AM - edited 05-02-2022 08:07 AM
Hi We are trying to configure cpu ACL based on the below cisco link. but looks like it does not tell in detail about CPU ACL. Anyone have suggestion or share a link for it? Thank you
https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/71978-acl-wlc.html
05-02-2022 08:14 AM
Here is a good blog you can read through
https://mrncciew.com/2013/03/15/wlc-access-control-list-acl/amp/
05-02-2022 08:31 AM
05-02-2022 11:04 AM
Thank you for your nice reply. Please see the below picture. The ACL is created, but it are not associated with dynamic interface and CPU, why it shows some number under Number of Hits? In other word, the ACL is not enabled
05-02-2022 01:43 PM
this ACL to permit traffic to and from DNS it for Pre-Web Auth.
05-03-2022 11:55 AM - edited 05-03-2022 11:58 AM
@MHM Cisco World Ok Thank you MHM.
The purpose to config CPU ACL in this case is to decrease security vulnerability. Can I say it like this? so if client subnet is 10.10.10.0/24, we need to deny the subnet via CPU ACL toward CPU and allow all of others, and the dynamic ACL need to keep the same as before. Is this correct?
The below is a link that I think it might be useful
https://studylib.net/doc/14483068/securing-wireless-lan-controllers--wlcs--contents-documen...
05-03-2022 12:33 PM
Previously, ACLs on WLCs did not have an option to filter LWAPP/CAPWAP data traffic, LWAPP/CAPWAP control traffic, and mobility traffic destined to the Management and AP Manager interfaces. In order to address this issue and filter LWAPP and mobility traffic, CPU ACLs were introduced with WLC firmware release 4.0.
The configuration of CPU ACLs involves two steps:
Configure rules for the CPU ACL.
Apply the CPU ACL on the WLC.
So
only management and AP manager interface include as destination of deny CPU ACL.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide