11-28-2022 07:13 AM
I'm looking into ways to restrict traffic to my management GUI of the 9800-40 WLC.
In the 5520 we have CPU ACL's deployed, restricting access.
I know that I can attach an ACL to my management interface but what about the mobility traffic between controllers and CAPWAP traffic. The CAPWAP traffic in the 5520 is allowed by default for example, the CPU ACL is not affecting CAPWAP traffic. I cannot find any documentation on this regarding the 9800 platform.
Does anyone have some form of documentation regarding this topic ?
11-28-2022 07:32 AM - edited 11-28-2022 07:34 AM
Well its like any other IOS acl's, you probably want to permit https/ssh from your management subnets and then deny https/ssh from any. then permit any any, which would allow all the other traffic you didn't not deny.
I'm assuming you have some sort of acl for your other network devices? Might be easier to just have this on the router so you don't have acl's everywhere in your network.
11-28-2022 07:50 AM
Yes we do have generic ACL's in place, but all of those devices do not have AP's trying to connect to it
I'm not too thrilled to do an allow any any, just for AP's to be able to setup CAPWAP tunnel.
The other way would be to specifically allow CAPWAP and mobility messages for example.
But as mentioned I'm just looking for documentation, but I think there is none ? For AireOs there was / is some descent documentation regarding CPU ACL's.
11-28-2022 08:12 AM
I understand, but AireOS is different from the 9800's. You always can get a full list of ports you need to allow, but do you really want to manage that? This is an old list, but many ports have not changed except for lwapp to capwap.
Cisco Unified Wireless Network Protocol and Port Matrix - Cisco
11-28-2022 08:13 AM - edited 11-28-2022 08:13 AM
I assume Management Traffic = HTTP/S, SSH, TELNET
If so, you will do the below. First create an ACL defining which IPs are allowed to access the WLC management.
ip access-list standard 10
10 permit 188.8.131.52
20 permit 184.108.40.206
For HTTP/S access restriction -
ip http access-class ipv4 10 ("10" is the ACL, below commands are optional)
ip http auth-retry 10 time-window 1
ip http authentication local
ip http secure-server
ip http max-connections 10
line vty 0 4
access-class 10 in
transport input telnet ssh
line vty 5 50
access-class 10 in
11-28-2022 08:23 AM
That is the easiest way.
11-28-2022 11:23 AM
This makes sense, I'm going to test it. Many thanks !
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: