We are running CPU ACLs both on IPv4 and IPv6. The obvious thing is that you want to make sure to account for all your CAPWAP sources and all your management stations. If you use Prime Infrastructure to manage your WLCs, definitely don't forget accounting for that.
Also for Prime: its ACL builder is horrible, so we kept it intentionally simple with the least number of ACEs (often permitting all IP traffic instead of branching out to protocols, for example on the dedicated networks for APs sourcing CAPWAP tunnels). The worst gotcha is that ACLs are submitted line by line, which at one point locked out Prime itself since it created something that didn't account for itself. The work around is to always first disable CPU ACLs entirely, then to submit the new ACL, double check that it's applied correctly, and to only then re-enable it for enforcement. Otherwise we've had no issues whatsoever. Hope that helps, felix Dartmouth ________________________________________ From: The EDUCAUSE Wireless Issues Constituent Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Dennis Xu <d...@uoguelph.ca> Sent: Tuesday, December 15, 2015 12:03 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Cisco WLC CPU ACL Has anyone implemented CPU ACL on Cisco WLCs and any lessons learned? I would like to apply CPU ACLs to protect WLC dynamic interfaces and hope it will not break anything. :) Thanks! --- Dennis Xu, MASc, CCIE #13056 Analyst 3, Network Infrastructure Computing and Communications Services(CCS) University of Guelph 519-824-4120 Ext 56217 d...@uoguelph.ca www.uoguelph.ca/ccs ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
