cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2796
Views
15
Helpful
6
Replies

CPU ACL configuration at wlc

Leftz
Level 4
Level 4

Hi We are trying to configure cpu ACL based on the below cisco link. but looks like it does not tell in detail about CPU ACL. Anyone have suggestion or share a link for it? Thank you

 

https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/71978-acl-wlc.html

6 Replies 6

ammahend
VIP
VIP

Here is a good blog you can read through

https://mrncciew.com/2013/03/15/wlc-access-control-list-acl/amp/

-hope this helps-

acwlc3.png

Leftz
Level 4
Level 4

Thank you for your nice reply. Please see the below picture. The ACL is created, but it are not associated with dynamic interface and CPU, why it shows some number under Number of Hits? In other word, the ACL is not enabled 

 

1.PNG

this ACL to permit traffic to and from DNS it for Pre-Web Auth.

Leftz
Level 4
Level 4

@MHM Cisco World  Ok Thank you MHM. 

The purpose to config CPU ACL in this case is to decrease security vulnerability. Can I say it like this? so if client subnet is 10.10.10.0/24, we need to deny the subnet via CPU ACL toward CPU and allow all of others, and the dynamic ACL need to keep the same as before. Is this correct? 

The below is a link that I think it might be useful

https://studylib.net/doc/14483068/securing-wireless-lan-controllers--wlcs--contents-documen...

Previously, ACLs on WLCs did not have an option to filter LWAPP/CAPWAP data traffic, LWAPP/CAPWAP control traffic, and mobility traffic destined to the Management and AP Manager interfaces. In order to address this issue and filter LWAPP and mobility traffic, CPU ACLs were introduced with WLC firmware release 4.0.

The configuration of CPU ACLs involves two steps:

  1. Configure rules for the CPU ACL.

  2. Apply the CPU ACL on the WLC.


    So 
    only management and AP manager interface include as destination of deny CPU ACL. 

Review Cisco Networking for a $25 gift card