Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
526
Views
0
Helpful
5
Replies

How do we set up an ACL on a cisco AIR-CAP3702I-B-K9?

victoriabardy
Level 4
Level 4

‎03-13-2018 10:58 AM - edited ‎07-05-2021 08:22 AM

Hello,

 

We need to set up a mac filtering access list to keep certain devices from roaming to another location that shares a wall and is using the same SSID.  Does anyone here on the forum know what commands we would use to accomplish this?  Are there Capwap specific commands involved?  Please let me know if you do.

 

Thank you.

Vicky

Labels:
0 Helpful
5 Replies 5

Flavio Miranda
VIP
VIP

‎03-13-2018 01:09 PM

Hi

 Basic example config:

 

configure terminal
access-list 701 deny 0811.967e.c384 0000.0000.0000
dot11 association mac-list 701
end

 

Considering of course IOS AP.  But, for capwap AP, which means joined in a WLC, then the config must be done on the WLC side.

 

 If you are using  Mobility Express, most probably, then the command on the Mobility Express WLC would be:

config macfilter add MAC_address wlan_id [interface_name] [description] [IP address]

For Mobility Express AP only I did not find similar command.

 

 

-If I helped you somehow, please, rate it as useful.-

 

 

0 Helpful

fjrusso76
Level 1
Level 1
In response to Flavio Miranda

‎03-13-2018 01:42 PM

Flavio,

 

 

I have this same issue. I have setup the ACL on the WLC. However, where do I apply this ACL to an AP.

 

Thank you,

Frank

 

0 Helpful

Flavio Miranda
VIP
VIP
In response to fjrusso76

‎03-13-2018 01:49 PM

It depends what you're trying to accomplish.

 Mac filter in a environment with wlc is applied on the WLAN and not on the AP.

 The only situation I remember you apply ACL directly on the AP when you have wlc is flexconnect ACL for guest SSID.

 

 

-If I helped you somehow, please, rate it as useful.-

0 Helpful

fjrusso76
Level 1
Level 1
In response to Flavio Miranda

‎03-13-2018 01:57 PM

What I'm trying to accomplish is the following.



I have 2 stores with separate networks. However, the stores share a wall. Meaning the broadcast SSID can be seen from the AP in store # 1 and Store 2. Each store is using the same SSID as well.



So what I'm trying to do is have all the clients in store # 1 only connect to the AP in store # 1 and not the AP in store # 2.



What I wanted to do, was create an Deny ACL. So I would gather the MAC address from store # 1 and Deny them at the Store # 2 AP. Then I would apply the same on the other end as well.



Thank you,


0 Helpful

Flavio Miranda
VIP
VIP
In response to fjrusso76

‎03-13-2018 02:18 PM

I have to say this is a bad design. With a different SSID and assuming you know all the possible Mac address that need to connect to store 1 and those can connect to store 2, which I believe is really difficult, then you could use Mac filter just to make sure someone from store 1 does not connect to store 2.

 But with the same SSID will be a mess.

 Client will try to connect and by receiving deny they will complain saying the network is not working. After all, they don't know which AP they must connect and they will not have option.

 

 

-If I helped you somehow, please, rate it as useful.-

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card