Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member


Hi, how are you?.  Sorry  by my questions and thanks for the patience.

I have a doubt. CPU ACL affects only the traffic of the management interface?.

For example:

Controller WLC 5508 version

Interface management IP address

Interface XX IP address

I have configured the following ACL and applied to CPU ACL:

(Cisco Controller) >

(Cisco Controller) >

(Cisco Controller) >

(Cisco Controller) >

(Cisco Controller) >show acl cpu        

CPU Acl Name................................ ACL

Wireless Traffic............................ Enabled

Wired Traffic............................... Enabled

(Cisco Controller) >show acl summary    

ACL Counter Status               Enabled


ACL Name                         Applied

-------------------------------- -------

ACL                              Yes   

(Cisco Controller) >show acl detailed ACL

                       Source                        Destination                Source Port  Dest Port

Index  Dir       IP Address/Netmask              IP Address/Netmask        Prot    Range       Range    DSCP  Action      Counter

------ --- ------------------------------- ------------------------------- ---- ----------- ----------- ----- ------- -----------

     1  In    6     0-65535   443-443    Any Permit           0

     2 Any    6    0-65535   443-443    Any Permit           0

     3 Any                 Any     0-65535     0-65535  Any   Deny          51

DenyCounter : 27

(Cisco Controller) >

I have the following doubts

It is not necessary to allow the ports of tunnel capwap?.

I have applied this ACL and traffic from Interface XX to is filter.  If I remove CPU ACL traffic to interface XX is permit.  Then CPU ACL affect all interfaces???.

Cisco Employee

Re: WLC 5508 CPU ACL


better a late reply than no reply at all ...

The CPU ACL actually filters traffic that is destined to one of the WLC ip addresses, so it works on all interfaces, but does not filter all types of traffic. Only traffic that is destined to the WLC itself.

So if you apply a CPU ACL, it is likely you need to either allow capwap ports or allow everything in the subnet where APs are.



CreatePlease to create content