I have WLC 5508 (184.108.40.206)on costumer site. Costumer wants strict CPU ACL without surplus lines. I tested CPU ACL on my WLC 4402 (220.127.116.11). I don't have 5508 to test it.
According to customer network policy, they only have ACL's applied in INBOUND direction.
On my 4402 I created CPU ACL that allow comunication between:
WCS - WLC mgmt
mgmt LAN - WLC mgmt
AP - WLC mgmt
AP - ap-manager
RADIUS - WLC mgmt
Any, any UDP - destination port DHCP server
I do that by Cisco document ID: 109669 - The direction field on CPU ACL should always be INBOUND or ANY.
I think everything is working fine. I have RADIUS communication, WCS, APs join is OK, new clients got IP address...and I have hit counts on ACL.
Same thing I configured on costumer 5508, but:
-no hit counts
-no ping beetween mgmt LAN and WLC mgmt (telnet and https works)
-no communication with RADIUS
-APs join is fine
When I remove ACL from CPU everything is working fine.
Then I add lines that allow returning trafic in OUTBOUND direction (just for RADIUS and mgmt LAN, no APs becose APs are join successfully).
I do that following Cisco document ID:71978 - must allow returning traffic on OUTBAND direction.
RADIUS communication and ping to WLC mgmt working fine.
Stil no hit counts.
Customer is not satisfied with this solution because of the policy (only IN ACL's) and they call on Cisco doc ID: 109669.
Customer say they do not want to play guess the solution, but want to make shure that evrything works according to the Cisco recommendations and Cisco documents.
Is someone has worked with strick CPU ACL before.