12-30-2011 02:11 AM - edited 07-03-2021 09:18 PM
I'm attempting to block about 10 to 15 users on the wireless by using MAC address filtering on the Aironet. I referenced the following link:
http://egementanirer.blogspot.com/2009/ ... dress.html
The policy does indeed work, but once I apply the filter all traffic on the wireless for that particular VLAN stops. Why would this happen? I wouldn't think I need to configure anything else for this to work, but maybe I'm wrong.
I was looking over the config and I noticed that each time I added a MAC address to the filter, it would create and access-list 701 deny 0000.0000.0000 ffff.ffff.ffff Once I removed this access-list, traffic starting flowing again, but when I add another MAC address the access-list shows up again. Kinda weird. Any reason for this?
Solved! Go to Solution.
12-30-2011 04:40 PM
Right now you are denying but then allowing the same MAC:
access-list 701 deny 001f.e18a.cf8b 0000.0000.0000
access-list 701 permit 001f.e18a.cf8b 0000.0000.0000
The access list should be the following:
access-list 701 deny 001f.e18a.cf8b 0000.0000.0000
access-list 701 permit 0000.0000.0000 ffff.ffff.ffff
12-30-2011 06:04 AM
Evan,
When you apply the ACL, where are you applying it too? From the CLI, you cand do a
dot11 association mac-list < ACL number >
this will stop the mac address from being able to associate to the AP.
HTH,
Steve
----------------------------------------------------------------------------------------------------------
Please remember to rate helpful posts or to mark the question as answered so that it can be found later.
12-30-2011 09:55 AM
The link you are following is not going to do what you are looking to do. That link is for creating an association list that only ALLOWS the MACs that you enter, hence the default deny all statement.
This Cisco doc shows in a little more detail how to do the block:
You should be able to reverse the page and change the default action to forward and select block as the MAC action.
12-30-2011 10:03 AM
Using the below link may be helpfull..
Here is the deal.. By default u hv the implicit deny on the CISCO IOS (not visible in run config--- enabled by default).. if u explicitly put DENY ANY ANY then the permit statements which comes after that will break the ACL..
Check this bug as well..
So The work around is to not to use IMPLICIT DENY at the end again!!
Lemme know if this answered ur question and please dont forget to rate the usefull posts!!
Regards
Surendra
12-30-2011 11:52 AM
@ Stephen Rodriguez
I'm applying it to the Radio0.802.11G interface.
@blackkrone
I followed the link you showed me, which is pretty much the same thing in creating a filter but they add in an extra step where under Security > Advanced Security > Association Access List. Now when I enabled this I see one or two packets drop, but I'm still able to pass traffic unlike before when it killed everything. But I still haven't blocked access to the specified MAC I added under the filters.
@SurendraBG
I don't have access to the second link being that I'm a Cisco guest. I tried simply entering the configuration using just the CLI, but same result as above. Unable to block that particular MAC address.
12-30-2011 03:05 PM
It's back to killing everything again, I'm not sure why it delayed, but after I configured another Aironet two floors above this one, it all of a sudden brought my laptop here I'm testing with down. I find that very odd. I really don't understand why this is so complicated, when its a simple block of a MAC address.
Here is the configuration after following the instructions from the links above.
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname AP-1stFlrSouthside
!
no logging console
enable secret 5 $1$y1.u$cgb0SR6.PJcu.04NoiDGB0
!
aaa new-model
!
!
aaa group server radius rad_eap
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
!
aaa session-id common
ip domain name cyberdyne.local
!
!
dot11 association mac-list 701
dot11 syslog
!
dot11 ssid GUEST
vlan 160
authentication open
authentication key-management wpa version 2
wpa-psk ascii 7 083649420A160812401D0D0A3E2A232D
!
dot11 ssid Cyberdyne
vlan 150
authentication open
authentication key-management wpa version 2
guest-mode
mbssid guest-mode
infrastructure-ssid optional
wpa-psk ascii 7 02570A4D02120E354541074B554643
!
!
!
username Cisco password 7 13094406065F5524
!
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 150 mode ciphers aes-ccm tkip
!
encryption vlan 160 mode ciphers aes-ccm tkip
!
ssid GUEST
!
ssid Cyberdyne
!
mbssid
station-role root
l2-filter bridge-group-acl
!
interface Dot11Radio0.150
encapsulation dot1Q 150 native
no ip route-cache
bridge-group 1
bridge-group 1 input-address-list 701
bridge-group 1 output-address-list 701
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio0.160
encapsulation dot1Q 160
no ip route-cache
bridge-group 160
bridge-group 160 subscriber-loop-control
bridge-group 160 block-unknown-source
no bridge-group 160 source-learning
no bridge-group 160 unicast-flooding
bridge-group 160 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
l2-filter bridge-group-acl
!
interface FastEthernet0.150
encapsulation dot1Q 150 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface FastEthernet0.160
encapsulation dot1Q 160
no ip route-cache
bridge-group 160
no bridge-group 160 source-learning
bridge-group 160 spanning-disabled
!
interface BVI1
ip address 192.168.150.21 255.255.255.0
no ip route-cache
!
ip default-gateway 192.168.150.2
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
access-list 701 deny 001f.e18a.cf8b 0000.0000.0000
access-list 701 deny 0000.0000.0000 ffff.ffff.ffff
radius-server attribute 32 include-in-access-req format %h
radius-server vsa send accounting
bridge 1 route ip
!
!
!
line con 0
exec-timeout 60 0
password 7 031008190B5E2F4D1F
line vty 0 4
exec-timeout 60 0
password 7 111D4A171A43050D55
line vty 5 15
password 7 13114400065D0A2B7A
!
end
12-30-2011 03:15 PM
Use the CLI and try this:
access-list 701 allow 0000.0000.0000 ffff.ffff.ffff
12-30-2011 03:24 PM
That didn't work using access-list 701 permit 0000.0000.0000 ffff.ffff.ffff I noticed it was placed like this in the config:
ip default-gateway 192.168.150.2
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
access-list 701 deny 001f.e18a.cf8b 0000.0000.0000
access-list 701 deny 0000.0000.0000 ffff.ffff.ffff
access-list 701 permit 0000.0000.0000 ffff.ffff.ffff
radius-server attribute 32 include-in-access-req format %h
radius-server vsa send accounting
bridge 1 route ip
12-30-2011 03:29 PM
do no access-list 701 deny 0000.0000.0000 ffff.ffff.ffff
Sent from Cisco Technical Support iPhone App
12-30-2011 03:36 PM
So that last command will revive the connection and get traffic flowing again, but it also allows the restriction on the MAC address I added to pass traffic too. Does that command cancel out the access-list deny *for that particular MAC* ? Something is a miss here, very odd.
12-30-2011 04:10 PM
Can you post the config again with the changes made?
12-30-2011 04:33 PM
Sure! I tried with and without the access-list permit. FYI the allow didn't work, so I needed to use permit.
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname AP-1stFlrSouthside
!
no logging console
enable secret 5 $1$y1.u$cgb0SR6.PJcu.04NoiDGB0
!
aaa new-model
!
!
aaa group server radius rad_eap
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
!
aaa session-id common
ip domain name cyberdyne.local
!
!
dot11 association mac-list 701
dot11 syslog
!
dot11 ssid GUEST
vlan 160
authentication open
authentication key-management wpa version 2
wpa-psk ascii 7 083649420A160812401D0D0A3E2A232D
!
dot11 ssid Cyberdyne
vlan 150
authentication open
authentication key-management wpa version 2
guest-mode
mbssid guest-mode
infrastructure-ssid optional
wpa-psk ascii 7 02570A4D02120E354541074B554643
!
!
!
username Cisco password 7 13094406065F5524
!
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 150 mode ciphers aes-ccm tkip
!
encryption vlan 160 mode ciphers aes-ccm tkip
!
ssid GUEST
!
ssid Cyberdyne
!
mbssid
station-role root
l2-filter bridge-group-acl
!
interface Dot11Radio0.150
encapsulation dot1Q 150 native
no ip route-cache
bridge-group 1
bridge-group 1 input-address-list 701
bridge-group 1 output-address-list 701
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio0.160
encapsulation dot1Q 160
no ip route-cache
bridge-group 160
bridge-group 160 subscriber-loop-control
bridge-group 160 block-unknown-source
no bridge-group 160 source-learning
no bridge-group 160 unicast-flooding
bridge-group 160 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
l2-filter bridge-group-acl
!
interface FastEthernet0.150
encapsulation dot1Q 150 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface FastEthernet0.160
encapsulation dot1Q 160
no ip route-cache
bridge-group 160
no bridge-group 160 source-learning
bridge-group 160 spanning-disabled
!
interface BVI1
ip address 192.168.150.21 255.255.255.0
no ip route-cache
!
ip default-gateway 192.168.150.2
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
access-list 701 deny 001f.e18a.cf8b 0000.0000.0000
access-list 701 permit 001f.e18a.cf8b 0000.0000.0000
radius-server attribute 32 include-in-access-req format %h
radius-server vsa send accounting
bridge 1 route ip
!
!
!
line con 0
exec-timeout 60 0
password 7 031008190B5E2F4D1F
line vty 0 4
exec-timeout 60 0
password 7 111D4A171A43050D55
line vty 5 15
password 7 13114400065D0A2B7A
!
end
12-30-2011 04:40 PM
Right now you are denying but then allowing the same MAC:
access-list 701 deny 001f.e18a.cf8b 0000.0000.0000
access-list 701 permit 001f.e18a.cf8b 0000.0000.0000
The access list should be the following:
access-list 701 deny 001f.e18a.cf8b 0000.0000.0000
access-list 701 permit 0000.0000.0000 ffff.ffff.ffff
12-30-2011 04:54 PM
That was my mistake on the copy and paste. Now that's very odd, it's working now. The MAC address is now timing out, and my other devices are passing traffic, yet when I make the same setting changes in the GUI it blocks all traffic. But it is working!!
So if I want to add other MAC addresses, I noticed it goes underneath the access-list 701 permit. Will this cause problems? Are access-lists sequential, as in top down? I don't believe they are, but I want to make sure.
Thank you so much for help and taking the time to troubleshoot.
12-30-2011 04:57 PM
When you want to add other MAC address simply do negate the permit statement with a no, add your blocks, then readd the permit.
Glad we could get it working for you, please do rate the posts and mark them as answered as that helps others in the future find answers!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide