Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE 17.18.x

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Book Contents

Find Matches in This Book

Results

Updated:: August 8, 2025

Chapter: Traffic Filtering on AP by Source IP ACL

Traffic Filtering on AP by Source IP ACL
Feature History for Traffic Filtering on AP by Source IP ACL
Traffic Filtering on AP by Source IP ACL
Configure AP management ACL on controller
- Define AP management ACL rules
- Configure AP management ACL on the controller
Verify mapped ACLs

Traffic Filtering on AP by Source IP ACL

Feature History for Traffic Filtering on AP by Source IP ACL

This table provides release and related information about the feature explained in this section.

This feature is also available in all the releases subsequent to the one in which they are introduced in, unless noted otherwise.

Table 1. Feature history for traffic filtering on AP by source IP ACL
Release	Feature Information
Cisco IOS XE 17.18.1	This feature enables APs to filter incoming data packets based on their source IP address. This is achieved when the controller pushes Access Control List (ACL) rules to the AP. This feature is supported in both FlexConnect mode and Local mode.

Traffic Filtering on AP by Source IP ACL

This feature enables APs to filter incoming data packets based on their source IP address. This is achieved when the controller pushes Access Control List (ACL) rules to the AP.

Its primary purpose is to:

act as the listening device filtering incoming packets based on source IP addresses, while the controller manages and pushes the relevant ACL rules to the AP.
enhance the security of AP services by allowing administrators to restrict access to trusted sources or block known malicious entities, regardless of whether the AP is operating in flex-connect mode or local mode.

This feature is supported in both FlexConnect mode and Local mode.

Configure AP management ACL on controller

Follow these steps to define the AP management ACL rules, configure ACL on the controller, attach the site tag to the AP profile, and map the site tag to the AP.

Note

The default action for AP MGMT ACL is allow. Therefore, there is no need to add allow all at the end of the ACL.
Ensure not to block the UDP source ports 5246/5247, or else the AP will lose CAPWAP registering, immediately after TLV is pushed to the AP. The only way to recovery it is to clear the configuration on the controller and factory reset the AP.

Define AP management ACL rules

Procedure

Step 1

Enter global configuration mode.

Example:

Device# configure terminal

Step 2

Define an extended IP access-list.

Example:

Device(config)# ip access-list extended deny-host-ssh

Device(config)# ipv6 access-list deny-host-ssh-v6

Step 3

Define rules to deny SSH connection from IPv4 and IPv6 source addresses.

Example:

Device(config-ext-nacl)# 10 deny tcp host 100.100.202.1 any eq 22
Device(config-ext-nacl)# 11 deny tcp host 100.100.202.2 any eq 22

Device(config-ipv6-acl)# sequence 10 deny tcp host 2001:1202:DED::1 any eq 22

Rules are defined for AP management ACL.

Example

Device# configure terminal
Device(config)# ip access-list extended deny-host-ssh
Device(config-ext-nacl)# 10 deny tcp host 100.100.202.1 any eq 22
Device(config-ext-nacl)# 11 deny tcp host 100.100.202.2 any eq 22
Device(config)# ipv6 access-list deny-host-ssh-v6
Device(config-ipv6-acl)# sequence 10 deny tcp host 2001:1202:DED::1 any eq 22

Configure AP management ACL on the controller

Procedure

Step 1	Enter global configuration mode. Example: `Device# configure terminal`
Step 2	Configure the AP profile. Example: `Device(config)# ap profile flex-ap-profile`
Step 3	Configure the AP management access list. Example: `Device(config-ap-profile)# access-list {access-list-v4 \| access-list-v6} access-list-name`
Step 4	Exit sub-mode. Example: `Device(config-ap-profile)# exit`

AP management ACL is configured on the controller.

Example

Device# configure terminal
Device(config)# ap profile flex-ap-profile
Device(config-ap-profile)# access-list access-list-v4 deny-host-ssh
Device(config-ap-profile)# access-list access-list-v6 deny-host-ssh-v6
Device(config-ap-profile)# exit

What to do next

Attach the site tag to the AP profile and then map the site tag to the AP. For example:

Device(config)# wireless tag site flex-site-tag
Device(config-site-tag)# description "flex site tag"
Device(config-site-tag)# ap-profile flex-ap-profile
Device(config-site-tag)# no local-site

Device(config)# ap 48XX.d5XX.e3XX
Device(config-ap-tag)# site-tag flex-site-tag

Verify mapped ACLs

Verify mapped ACL details

To verify the detailed AP profile configuration with mapped ACLs, on the controller, run the show ap profile name ap-profile-name detailed command:

Device# show ap profile name flex-ap-profile etailed
AP Profile Name               : flex-ap-profile
Description                   : 
Country code                  : Not configured
Stats Timer                   : 180
Link Latency                  : DISABLED
Data Encryption               : DISABLED
LED State                     : ENABLED
…
…
…

AP broken antenna detection :
  Status                      : DISABLED
RLAN Configurations : 
  Fast Switching               : DISABLED
Onboarding configuration      : Unicast
Pressure sensor :
  Mode                         : AUTO
Accelerometer Sensor          : ENABLED
AP statistics                  : DISABLED
Radio statistics               : DISABLED
AP Deployment Mode                  : Not Configured
Static path MTU                  : 0
AP Management IPv4 ACL              : deny-host-ssh
AP Management IPv6 ACL              : deny-host-ssh-v6
AP Profile Name               : test_ap_profile
Description                   : 
Country code                  : Not configured
Stats Timer                   : 180
Link Latency                  : DISABLED
Data Encryption               : DISABLED
LED State                     : ENABLED
…
…
…
AP broken antenna detection :
  Status                      : DISABLED
RLAN Configurations : 
  Fast Switching               : DISABLED
Onboarding configuration      : Unicast
Pressure sensor :
  Mode                         : AUTO
Accelerometer Sensor          : ENABLED
AP statistics                  : DISABLED
Radio statistics               : DISABLED
AP Deployment Mode                  : Not Configured
Static path MTU                  : 0
AP Management IPv4 ACL              : deny-host-ssh
AP Management IPv6 ACL              : deny-host-ssh-v6

Verify AP management ACL on AP

To verify the IPv4 AP management ACL on the AP, run the show ip access-lists command.

Cisco-AP# show ip access-lists 
AP MGMT ACLs:
Extended IP access list deny-host-ssh
   1 deny tcp 100.100.202.1 0.0.0.0 range 0 65535 any eq 22
   2 deny tcp 100.100.202.2 0.0.0.0 range 0 65535 any eq 22

To verify IPv6 AP management ACL on the AP, run the show ipv6 access-list command.

Cisco-AP# show ipv6 access-list
AP MGMT ACLs:
Extended IPv6 access list deny-host-ssh-v6
    1 deny tcp host 2001:1202:ded::1 range 0 65535 any eq 22

Verify AP host firewall ACL drop count

To verify the statistics of the ACL drop count on the AP, run the show datapath gateway 1213 statistics command.

Cisco-AP# show datapath gateway l2l3 statistics 
error stats:
Eth-Errs IP-Errs Drops MAC-filters Drop-by-ACL
       0       0     0           0           0
to host stats:
  IPv4   IPv6   ARP   Other
  108115 98915  46130     0
from host stats:
  IPv4   IPv6  ARP  Other
  136571 4288 12243     0
to routing stats:
IPv4 IPv6 ARP
   0    0   0

Was this Document Helpful?

Feedback

Contact Cisco

Open a Support Case
(Requires a Cisco Service Contract)