Welcome to Cisco Support Community. We would love to have your feedback.
For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.
We have a lot of AP1010's, and was thinking about having them on a separate VLAN / Subnet due to security issues.
Therefore I have composed the following access-lists:
access-list 110 remark ACL_IN
access-list 110 permit udp any any eq bootps
access-list 110 permit udp any any eq domain
access-list 110 permit udp any any eq 12222
access-list 110 permit udp any any eq 12223
access-list 111 remark ACL_OUT
access-list 111 permit udp any any eq bootpc
access-list 111 permit udp host <dns-server> any gt 1023
access-list 111 permit udp any any eq 40066
Can anyone confirm that this is enough?
The AP's seem to use port 40066 as its single return port.
Not really necessary to have the outgoing ACL, but if I can make one without too much hassle I thought it would be nice to have :)
Access point's depends otn eh MAc address. It is random . So access-list 111 permit udp any any eq 40066 is not necessary as this might block communication between controller and access point.