Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
452
Views
20
Helpful
8
Replies

magagement connection to WLC

interfacedy
Spotlight
Spotlight

‎05-28-2022 09:03 PM

HI we have wlc 3504. Its management interface ip add is 10.10.10.10. Via CPU-ACL, if we deny all traffic except port 12124-12125, 12134-12135

and port 443 for ip address 10.10.10.10.

the config can cause blocking access to the WLC?

Thanks

 

Labels:
0 Helpful
8 Replies 8

ammahend
VIP
VIP

‎05-28-2022 11:39 PM

Yes I think so, it’s simple to test,  I am assuming you did not mean OOB management service port, because ACL does not effect this port.

Your management interface is also your AP Manager interface so AP won’t be joining wlc,

you can read on ACL limitations here 

 

https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/71978-acl-wlc.html#common

 

hope this helps

-hope this helps-

MHM Cisco World
VIP
VIP

‎05-29-2022 03:09 AM

Access via ssh? If yes you need allow port

Access via http? If yes are wlc behind nat, check http port nat

Flavio Miranda
VIP
VIP

‎05-29-2022 04:29 AM

Hi

  If you worry about user traffic, you dont need to. This the right way to control WLC manageability and no user traffic will be denied and RRM functionality will be preserved. 

 

What the WLC CPU ACL can't block:
CAPWAP traffic to and from access points.

Traffic to and from other WLCs in Mobility Group.

Traffic to and from RADIUS/TACACS servers.

Traffic to and from LDAP servers.

Traffic to and from DHCP servers.

 

What the WLC CPU ACL will block:
HTTP/HTTPS traffic towards the WLC management IP address.

SSH/Telnet traffic towards the WLC management IP address.

SNMP traffic towards the WLC management IP address.

FTP/TFTP/SFTP traffic towards the WLC management IP address.

ICMP traffic (like ping) towards the WLC management IP address and all dynamic interfaces (client interfaces).

interfacedy
Spotlight
Spotlight

‎05-29-2022 05:50 AM - edited ‎05-29-2022 05:55 AM

Thank you all for your reply.

@Flavio Miranda 

 

  "-- What the WLC CPU ACL will block:
      HTTP/HTTPS traffic towards the WLC management IP address. --- "

 

The CPU ACL includes permit port 443. so that we will not lose the connection to the WLC via GUI, right? 

0 Helpful

MHM Cisco World
VIP
VIP

‎05-29-2022 06:05 AM

Can I see acl?

Source will any destiantion will be managment interface with port 443 (if  you not nat this port)

0 Helpful

interfacedy
Spotlight
Spotlight

‎05-31-2022 07:55 PM - edited ‎05-31-2022 08:35 PM

@MHM Cisco World Please see the below where 10.0.100.66 is wlc management interface. In addtion, the port12124-12125, 12134-12135 should be permited. Any suggestion? Thanks

1.PNG

0 Helpful

MHM Cisco World
VIP
VIP
In response to interfacedy

‎06-01-2022 03:19 PM - edited ‎06-01-2022 03:22 PM

check the cisco note about the CPU ACL
klklklklklklklkl.png

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card