Showing results for 
Search instead for 
Did you mean: 

Restrict management access to GUI 9800-40



I'm looking into ways to restrict traffic to my management GUI of the 9800-40 WLC.

In the 5520 we have CPU ACL's deployed, restricting access.

I know that I can attach an ACL to my management interface but what about the mobility traffic between controllers and CAPWAP traffic. The CAPWAP traffic in the 5520 is allowed by default for example, the CPU ACL is not affecting CAPWAP traffic. I cannot find any documentation on this regarding the 9800 platform.

Does anyone have some form of documentation regarding this topic ?

6 Replies 6

Scott Fella
Hall of Fame Guru Hall of Fame Guru
Hall of Fame Guru

Well its like any other IOS acl's, you probably want to permit https/ssh from your management subnets and then deny https/ssh from any.  then permit any any, which would allow all the other traffic you didn't not deny.

I'm assuming you have some sort of acl for your other network devices?  Might be easier to just have this on the router so you don't have acl's everywhere in your network.

*** Please rate helpful posts ***

HI Scott,

Yes we do have generic ACL's in place, but all of those devices do not have AP's trying to connect to it

I'm not too thrilled to do an allow any any, just for AP's to be able to setup CAPWAP tunnel.

The other way would be to specifically allow CAPWAP and mobility messages for example. 

But as mentioned I'm just looking for documentation, but I think there is none ? For AireOs there was / is some descent documentation regarding CPU ACL's.

I understand, but AireOS is different from the 9800's.  You always can get a full list of ports you need to allow, but do you really want to manage that?  This is an old list, but many ports have not changed except for lwapp to capwap.

Cisco Unified Wireless Network Protocol and Port Matrix - Cisco

*** Please rate helpful posts ***

Arshad Safrulla
VIP Advocate VIP Advocate
VIP Advocate


I assume Management Traffic = HTTP/S, SSH, TELNET

If so, you will do the below. First create an ACL defining which IPs are allowed to access the WLC management.

ip access-list standard 10
10 permit
20 permit

For HTTP/S access restriction - 

conf t
ip http access-class ipv4 10 ("10" is the ACL, below commands are optional)
ip http auth-retry 10 time-window 1
ip http authentication local
ip http secure-server
ip http max-connections 10

For SSH/Telnet 


line vty 0 4
access-class 10 in
login local
transport input telnet ssh
line vty 5 50
access-class 10 in
login local



That is the easiest way.

*** Please rate helpful posts ***

This makes sense, I'm going to test it. Many thanks !

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers