cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Cisco announces new innovations in SD-WAN, ISRs, SD-WAN Services, and Catalyst 9000 Series switches


977
Views
0
Helpful
3
Replies
Highlighted
Beginner

move a mac access-list

                   Ok we have a mac-access list that is set and we want it only set on a specific ssid but it does not seem to be working that way and is hitting both ssid's.  The issue appears to be with this line as it is not defined to the ssid nor any interface for that ssid:

dot11 association mac-list 701

I just can't figure out where to move it and how.  Any help would be great.

Here is my config:

BER-AP18#show running-config
Building configuration...

Current configuration : 11695 bytes
!
! Last configuration change at 11:04:00 EDT Wed Jun 6 2012 by WirelessAdmin
! NVRAM config last updated at 11:04:00 EDT Wed Jun 6 2012 by WirelessAdmin
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname BER-AP18
!
enable secret 5 SECRET

!
clock timezone EST -5
clock summer-time EDT recurring
ip subnet-zero
ip domain name domain.com
ip name-server 10.0.36.73
ip name-server 10.0.36.38
!
!
aaa new-model
!
!
aaa group server radius rad_eap
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
dot11 association mac-list 701
dot11 vlan-name Wireless vlan 22
!
dot11 ssid SWLAN
   vlan 36
   authentication open mac-address mac_methods
!
dot11 ssid WSLAN
   vlan 22
   authentication open
   authentication key-management wpa
   guest-mode
   wpa-psk ascii 7 SECRET
!
crypto pki trustpoint TP-self-signed-689020510
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-689020510
revocation-check none
rsakeypair TP-self-signed-689020510
!
!
username WirelessAdmin privilege 15 password 7 SECRET

username 00166f44ec4f password 7 075F711D185F1F514317085802
username 00166f44ec4f autocommand exit
username 00166f46e83c password 7 15425B5D527C2D707E366D7110
username 00166f46e83c autocommand exit
username 00166f6bc2be password 7 091C1E584F531144090F56282E
username 00166f6bc2be autocommand exit

!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption key 1 size 128bit 7 SECRET transmit-key
encryption mode wep mandatory
!
encryption vlan 2 mode ciphers tkip
!
encryption vlan 36 key 1 size 128bit 7 SECRET transmit-key
encryption vlan 36 mode wep mandatory
!
encryption vlan 22 mode ciphers tkip
!
broadcast-key change 30
!
!
ssid SWLAN
!
ssid WSLAN
!
speed basic-1.0 basic-2.0 basic-5.5 basic-11.0
power local 1
no power client local
power client 100
channel 2427
station-role root
rts threshold 2312
l2-filter bridge-group-acl
bridge-group 1
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio0.22
encapsulation dot1Q 22
no ip route-cache
bridge-group 22
bridge-group 22 subscriber-loop-control
bridge-group 22 block-unknown-source
no bridge-group 22 source-learning
no bridge-group 22 unicast-flooding
bridge-group 22 spanning-disabled
!
interface Dot11Radio0.36
encapsulation dot1Q 36
no ip route-cache
bridge-group 36
bridge-group 36 subscriber-loop-control
bridge-group 36 block-unknown-source
no bridge-group 36 source-learning
no bridge-group 36 unicast-flooding
bridge-group 36 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
l2-filter bridge-group-acl
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
hold-queue 160 in
!
interface FastEthernet0.22
encapsulation dot1Q 22
no ip route-cache
bridge-group 22
no bridge-group 22 source-learning
bridge-group 22 spanning-disabled
!
interface FastEthernet0.36
encapsulation dot1Q 36
no ip route-cache
bridge-group 36
no bridge-group 36 source-learning
bridge-group 36 spanning-disabled
!
interface BVI1
ip address 10.0.0.18 255.255.255.0
no ip route-cache
!
interface BVI22
no ip address
no ip route-cache
!
ip default-gateway 10.0.0.1
no ip http server
ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
!
access-list 111 permit tcp any any neq telnet
access-list 701 permit 0016.6f38.5a75   0000.0000.0000
access-list 701 permit 0016.6f47.2f5a   0000.0000.0000
access-list 701 permit 0016.6f72.8730   0000.0000.0000
access-list 701 permit 0016.6f6b.c156   0000.0000.0000
access-list 701 deny   0000.0000.0000   ffff.ffff.ffff
radius-server attribute 32 include-in-access-req format %h
radius-server vsa send accounting
!
control-plane
!
bridge 1 route ip
!
!
!
line con 0
access-class 111 in
line vty 0 4
access-class 111 in
line vty 5 15
access-class 111 in
!
sntp server 10.0.36.38
end

Everyone's tags (1)
3 REPLIES

Re: move a mac access-list

The dot11 acl will hit all the wireless traffic. To link that acl to a specific SSID you would put it in the bridge-group config under the fastethernet subinterface

Sent from Cisco Technical Support iPhone App

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered
Beginner

move a mac access-list

So like this:

interface FastEthernet0.36

     Bridge-group 36 input-address-list 701

Says this will filter packets by source address.

and remove the dot11 command:

no dot11 association mac-list 701

move a mac access-list

that looks good.  I always get input vs output backwards.  If it doesn't block the correct traffic, reverse the direction.

HTH,
Steve

-----------------------------------------
Please remember to rate useful posts, and mark questions as answered

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered
CreatePlease to create content
Content for Community-Ad

Blog-Cisco Community Designated VIP Class of 2019