Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2436
Views
15
Helpful
6
Replies

Restrict management access to GUI 9800-40

aflbakker
Level 1
Level 1

‎11-28-2022 07:13 AM

Hi,

I'm looking into ways to restrict traffic to my management GUI of the 9800-40 WLC.

In the 5520 we have CPU ACL's deployed, restricting access.

I know that I can attach an ACL to my management interface but what about the mobility traffic between controllers and CAPWAP traffic. The CAPWAP traffic in the 5520 is allowed by default for example, the CPU ACL is not affecting CAPWAP traffic. I cannot find any documentation on this regarding the 9800 platform.

Does anyone have some form of documentation regarding this topic ?

0 Helpful
6 Replies 6

Scott Fella
Hall of Fame
Hall of Fame

‎11-28-2022 07:32 AM - edited ‎11-28-2022 07:34 AM

Well its like any other IOS acl's, you probably want to permit https/ssh from your management subnets and then deny https/ssh from any.  then permit any any, which would allow all the other traffic you didn't not deny.

I'm assuming you have some sort of acl for your other network devices?  Might be easier to just have this on the router so you don't have acl's everywhere in your network.

-Scott
*** Please rate helpful posts ***
0 Helpful

aflbakker
Level 1
Level 1
In response to Scott Fella

‎11-28-2022 07:50 AM

HI Scott,

Yes we do have generic ACL's in place, but all of those devices do not have AP's trying to connect to it

I'm not too thrilled to do an allow any any, just for AP's to be able to setup CAPWAP tunnel.

The other way would be to specifically allow CAPWAP and mobility messages for example. 

But as mentioned I'm just looking for documentation, but I think there is none ? For AireOs there was / is some descent documentation regarding CPU ACL's.

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to aflbakker

‎11-28-2022 08:12 AM

I understand, but AireOS is different from the 9800's.  You always can get a full list of ports you need to allow, but do you really want to manage that?  This is an old list, but many ports have not changed except for lwapp to capwap.

Cisco Unified Wireless Network Protocol and Port Matrix - Cisco

-Scott
*** Please rate helpful posts ***

Arshad Safrulla
VIP Alumni
VIP Alumni

‎11-28-2022 08:13 AM - edited ‎11-28-2022 08:13 AM

Hi, 

I assume Management Traffic = HTTP/S, SSH, TELNET

If so, you will do the below. First create an ACL defining which IPs are allowed to access the WLC management.

ip access-list standard 10
10 permit 1.1.1.1
20 permit 2.2.2.2

For HTTP/S access restriction - 

conf t
ip http access-class ipv4 10 ("10" is the ACL, below commands are optional)
ip http auth-retry 10 time-window 1
ip http authentication local
ip http secure-server
ip http max-connections 10

For SSH/Telnet 

!

line vty 0 4
access-class 10 in
login local
transport input telnet ssh
line vty 5 50
access-class 10 in
login local

!

 

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla

Scott Fella
Hall of Fame
Hall of Fame
In response to Arshad Safrulla

‎11-28-2022 08:23 AM

That is the easiest way.

-Scott
*** Please rate helpful posts ***
0 Helpful

aflbakker
Level 1
Level 1
In response to Arshad Safrulla

‎11-28-2022 11:23 AM

This makes sense, I'm going to test it. Many thanks !

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card