05-28-2022 09:03 PM
HI we have wlc 3504. Its management interface ip add is 10.10.10.10. Via CPU-ACL, if we deny all traffic except port 12124-12125, 12134-12135
and port 443 for ip address 10.10.10.10.
the config can cause blocking access to the WLC?
Thanks
05-28-2022 11:39 PM
Yes I think so, it’s simple to test, I am assuming you did not mean OOB management service port, because ACL does not effect this port.
Your management interface is also your AP Manager interface so AP won’t be joining wlc,
you can read on ACL limitations here
https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/71978-acl-wlc.html#common
hope this helps
05-29-2022 03:09 AM
Access via ssh? If yes you need allow port
Access via http? If yes are wlc behind nat, check http port nat
05-29-2022 04:29 AM
Hi
If you worry about user traffic, you dont need to. This the right way to control WLC manageability and no user traffic will be denied and RRM functionality will be preserved.
What the WLC CPU ACL can't block:
CAPWAP traffic to and from access points.
Traffic to and from other WLCs in Mobility Group.
Traffic to and from RADIUS/TACACS servers.
Traffic to and from LDAP servers.
Traffic to and from DHCP servers.
What the WLC CPU ACL will block:
HTTP/HTTPS traffic towards the WLC management IP address.
SSH/Telnet traffic towards the WLC management IP address.
SNMP traffic towards the WLC management IP address.
FTP/TFTP/SFTP traffic towards the WLC management IP address.
ICMP traffic (like ping) towards the WLC management IP address and all dynamic interfaces (client interfaces).
05-29-2022 05:50 AM - edited 05-29-2022 05:55 AM
Thank you all for your reply.
"-- What the WLC CPU ACL will block:
HTTP/HTTPS traffic towards the WLC management IP address. --- "
The CPU ACL includes permit port 443. so that we will not lose the connection to the WLC via GUI, right?
05-29-2022 06:40 AM
Rigth.
05-29-2022 06:05 AM
Can I see acl?
Source will any destiantion will be managment interface with port 443 (if you not nat this port)
05-31-2022 07:55 PM - edited 05-31-2022 08:35 PM
@MHM Cisco World Please see the below where 10.0.100.66 is wlc management interface. In addtion, the port12124-12125, 12134-12135 should be permited. Any suggestion? Thanks
06-01-2022 03:19 PM - edited 06-01-2022 03:22 PM
check the cisco note about the CPU ACL
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide