Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
1367
Views
5
Helpful
1
Comments

Autonomous Access Point ACL FilterConfiguration

Surendra BG
Cisco Employee
Cisco Employee

‎11-01-2010 07:18 AM - edited ‎11-18-2020 02:51 AM

                              Autonomous Access Point ACL Filter Configuration

The below configurations will provide the info regarding the ACL configuration on the Autonomous APs which will be handy for more things!!

Configuring standard ACL
============================

You can use standard ACLs to allow or disallow the entry of client devices into the WLAN network based on the IP address of the client. Standard ACLs compare the source address of the IP packets to the addresses that are configured in the ACL in order to control traffic. This type of ACL can be referred to as a source IP address-based ACL.

en
conf t
access-list 10 deny host <ip addr of the client>
access-list 10 permit any

Ex-

en
conf t
access-list 10 deny host 192.168.10.1
access-list 10 permit any

Apply this to Interface..

Int dot11 0
ip access-group 25 in

Done!!

Similarly Standard Name ACLs
=============================

en
conf t
ip access-list standard <name>
deny host <ip addr>
permit any
exit

int dot11 0
ip access-group <name> in

Ex-

en
conf t
ip access-list standard test
deny host 192.168.10.1
permit any
exit

int dot11 0
ip access-group test in

EXTENDED ACLs on the AP
========================

Extended ACLs compare the source and destination addresses of the IP packets to the addresses that are configured in the ACL in order to control traffic. Extended ACLs also provide a means to filter traffic based on specific protocols. This provides a more granular control for the implementation of filters on a WLAN network.

Ex - Deny All traffic on AP and allow only DHCP.. (Can be Modified based on your needs and protocols)

en
conf t
ip access-list extended hi
permit udp any any eq bootpc
deny ip any any
exit

int dot11 0
ip access-group hi in

int dot11 0.X
ip access-group hi in

Int gig 0
ip access-group hi in

int gig 0.X
ip access-group hi in
end

DONE!!

Now TIME BASED ACL!!
===================

Time-based ACLs are ACLs that can be enabled or disabled for a specific period of time. This capability provides robustness and the flexibility to define access control policies that either permit or deny certain kinds of traffic.

This example illustrates how to configure a time-based ACL through the CLI, where Telnet connection is permitted from the inside to the outside network on weekdays during business hours:

Note: A time-based ACL can be defined either on the Fast Ethernet port or on the Radio port of the Aironet AP, based on your requirements. It is never applied on the Bridge Group Virtual Interface (BVI).

Ex shows to allow only telnet access to the AP between the time interval (Can be changed based on the needs)

en
conf t
time-range hi
period weekdays 9:00 to 19:00
ip access-list extended 111
permit tcp 192.168.10.0 0.0.0.255 172.16.1.0 0.0.0.255 eq telnet time-range hi
exit

int gig 0
ip address 192.168.10.1 255.255.255.0
ip access-group 101 in

DONE!!

Comments
Srinivasaraghavan Parthipattu
Cisco Employee
Cisco Employee
‎11-08-2010 09:10 PM

Good One

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents