Unanswered Question
Sep 14th, 2010
User Badges:
Hi, how are you?.  Sorry  by my questions and thanks for the patience.

I have a doubt. CPU ACL affects only the traffic of the management interface?.

For example:

Controller WLC 5508 version

Interface management IP address

Interface XX IP address

I have configured the following ACL and applied to CPU ACL:

(Cisco Controller) >

(Cisco Controller) >

(Cisco Controller) >

(Cisco Controller) >

(Cisco Controller) >show acl cpu        

CPU Acl Name................................ ACL

Wireless Traffic............................ Enabled

Wired Traffic............................... Enabled

(Cisco Controller) >show acl summary    

ACL Counter Status               Enabled


ACL Name                         Applied

-------------------------------- -------

ACL                              Yes   

(Cisco Controller) >show acl detailed ACL

                       Source                        Destination                Source Port  Dest Port

Index  Dir       IP Address/Netmask              IP Address/Netmask        Prot    Range       Range    DSCP  Action      Counter

------ --- ------------------------------- ------------------------------- ---- ----------- ----------- ----- ------- -----------

     1  In    6     0-65535   443-443    Any Permit           0

     2 Any    6    0-65535   443-443    Any Permit           0

     3 Any                 Any     0-65535     0-65535  Any   Deny          51

DenyCounter : 27

(Cisco Controller) >

I have the following doubts

It is not necessary to allow the ports of tunnel capwap?.

I have applied this ACL and traffic from Interface XX to is filter.  If I remove CPU ACL traffic to interface XX is permit.  Then CPU ACL affect all interfaces???.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Nicolas Darchis Fri, 10/08/2010 - 23:27
User Badges:
  • Cisco Employee,


better a late reply than no reply at all ...

The CPU ACL actually filters traffic that is destined to one of the WLC ip addresses, so it works on all interfaces, but does not filter all types of traffic. Only traffic that is destined to the WLC itself.

So if you apply a CPU ACL, it is likely you need to either allow capwap ports or allow everything in the subnet where APs are.




This Discussion



Trending Topics - Security & Network