Ah, sorry. My bad. Just recalled seeing this a while ago: Cisco document ID: 109669
"CPU ACLs only filter traffic towards the CPU, and not any traffic exiting or generated by the CPU" "Note: For the WLC 5500 series in versions 6.0 and later, the CPU ACL is applicable for traffic originated from the WLC as well. For the other WLC platforms, this behavior is implemented in versions 7.0 and later. Also, when creating CPU ACLs direction fields do not have any impact. " "LWAPP or CAPWAP data traffic is not affected by CPU ACLs rules on 4400 based controllers, control traffic is affected (if doing an strict ACL, you need to explicitly permit it).
Note: CAPWAP control traffic is not affected by CPU ACLs. Alvin B " Quoting [email protected]:
Hi, I'm trying to figure out how the ACL works when you enable both wireless and wired mode of the CPU ACL mode. When you setup an acl with inbound permit, does it apply this single ACL rule on both the LAN facing "wired" and the Client facing "wireless"? Another example, if I setup and apply this rule: <src add> <dest add> <protocol> <src prt> <dest prt> <direction> <action> 1 any any udp dns any any permit 2 any any udp any dns any permit Does rule 1 means the WLC permit wireless client requesting DNS service to any dns server and at the same time also means that the WLC (mgmt) also can request DNS service from any dns server on the LAN side? I read on some ccie candidate's blog that when you set any any to the src and dest addresses, the direction will be "any" regardless of the set direction. Also do i need to apply rule 2 so that return traffic from the LAN side is permitted to the WLC, as well as from the WLC to the Wireless client? Very puzzling, as I think the rules for a full session needs to be applied in both direction as applying only in 1 direction can cause a problem with the other direction due to implicit deny. This confuses further when you apply both wired and wireless cpu acl mode. Any ideas? Alvin B
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
