Solved: ACL is not working on WLC

Prasan Venky · ‎07-19-2013

Hello All,

I am testing my wireless network. I used some third party tool and found that 443 and 22 ports are still open on the Dynamic Interface IP of the controller.when a guest user gained access and if he tries for the interface IP then it shows the Username: prompt and closing.

Can we restrict it by using ACL..? I tried ACL but no luck.

Any help here..

Stephen Rodriguez · ‎07-19-2013

16666 is the 'mobility' port, it's what the WLC uses to communicate with other members of the Moblity Group.

For the most part, if you haven't enabled management-via-wireless and/or management-via-dynamic-interface you don't really need to worry about it.

The under lying *nix OS is what initialy answers, but the actual application will kill the session.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

View solution in original post

Stephen Rodriguez · ‎07-19-2013

I believe that you need to create a CPU ACL to stop this.

Steve

Sent from Cisco Technical Support iPhone App

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

Prasan Venky · ‎07-19-2013

Many thanks for your reply.

Can u please guide me here how to deny 443 on dynamic int ip ?

Scott Fella · ‎07-19-2013

Here are some guides that will explane how:

http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a0080a7c988.shtml

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807810d1.shtml

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***

Prasan Venky · ‎07-19-2013

Omg... I did with it wrongly i guess..

my all access to WLC is gone now. It looks like in the acl i have not permitted any any.

What can i do ..?

Stephen Rodriguez · ‎07-19-2013

reboot, and/or attach to the console port and remove the ACL from the interface and CPU

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

Prasan Venky · ‎07-19-2013

Yeah... I rebooted it... fortunately i didnt save it.. got access back...thanks for your care...

CPU ACL resolved my previous issue. Now i am not getting 443 and 22 as opened in my tool. but newly two ports 444 and 161113 are shown opened.

How it is .?

Stephen Rodriguez · ‎07-19-2013

16666 is the 'mobility' port, it's what the WLC uses to communicate with other members of the Moblity Group.

For the most part, if you haven't enabled management-via-wireless and/or management-via-dynamic-interface you don't really need to worry about it.

The under lying *nix OS is what initialy answers, but the actual application will kill the session.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

Prasan Venky · ‎07-19-2013

I got it Stephen ... Thanks a lot for your time..