cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1050
Views
4
Helpful
8
Replies

Mac-address filters and 1200 AP

thisisshanky
Level 11
Level 11

I am trying ot configure MAC filters on a 1200 AP. IOS is 12.2.15 XR2. I have about 30 mac addresses configured on an access-list 700. The ACL has been applied to both inbound and outbound traffic on the radio interface (only radio, not ethernet interface).

There are two SSIDs, one for users (vlan 12) and one for guests (vlan 13). The MAC filter is applied only to vlan 12.

Users in vlan 12 can associate to the AP, but not get a DHCP address from the DHCP server. If I configure a static address from that subnet, still people cannot ping in and out from vlan 12.

Users in vlan 13 (with no mac filter) can associate as well as get a DHCP address from the DHCP server. They are also able to ping in and out from vlan 13.

The MAC filter is configured as follows.

Permit specific mac address (30 lines)

Default action : block all

If I change the default action to Forward all, the vlan 12 users get a DHCP address immediately. So it definitely looks like the MAC filter is ignoring the specific mac-address and thus denying all traffic on vlan 12. Here is a CLI configuration of access-list 700.

access-list 700 permit xxxx.xxxx.xxxx 0000.0000.0000

access-list 700 permit xxxx.xxxx.xxxx 0000.0000.0000

.

.

.

access-list 700 deny 0000.0000.0000 ffff.ffff.ffff

I found two conflicting documents on Cisco website...One says that 0000.0000.0000 is the mask for an exact match, while the other document says that ffff.ffff.ffff is the exact match mask.

Document 1: http://www.cisco.com/en/US/products/hw/wireless/ps430/products_installation_and_configuration_guide_chapter09186a0080148696.html#91655

Document 2:

http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_guide_chapter09186a00802091c1.html

I have tried downgrading the IOS from 12.2.15XR2 to 12.2.15JA with no change in behaviour.

Is this a bug or Am I wrong somewhere ?

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus
8 Replies 8

dixho
Level 6
Level 6

I wonder if you can apply the access list to the outbound of the radio interface.

Standard MAC filter (i.e. 700-799) defines the action on the destination MAC address. In your case, you define an access list with a number of destination MAC address. If you apply the access list of the inbound interface of radio interface, all inbound traffic will be dropped.

Also, you can apply the same access list in the inbound fastethernet interface.

Makes sense...I think the best way to do it is like you said..in the inbound direction on the fast E. I will try it this week and let you know.

Thank you!

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus

Hi,

had You any news about the MAC acl ? I've the same issue.

Many thanks in advance

Luigi

I just made an enterprise-wide blacklist of MAC addresses on APs. Here's the correct configuration:

access-list 700 deny xxxx.xxxx.xxxx 0000.0000.0000

.

.

.

access-list 700 permit 0000.0000.0000 ffff.ffff.ffff

dot11 association mac-list 700

In other words, zeros mean an exact match, f's mean any. I hope this helps,

Jeff

Hi Jeff,

thanks for the reply but i was looking for an interface filtering not an association filtering.

In other words, i need just to filter over a single ssid and the documentation is not so clean:

- the MAC in the acl 700 is the destination mac ?

- If so, I can just put the acl "IN" in the radio int or "OUT" in the eth interface.... if I've well understood

Any suggest ?

regards

Luigi

The MAC in the ACL is the MAC you want to block, so it's the source MAC. But yes, just apply the ACL to a subinterface on either the radio or the FastEthernet interface.

Keep in mind that the client will still be able to associate to the AP on that SSID, but he will be unable to pass any traffic while on that SSID. The best way to do client-exclusion on a per-SSID basis is to use WPA-PSKs or an EAP protocol. Doing it with an ACL could result in the client "black-holing" on this AP, depending on how the client is configured.

Out of curiosity, what exactly is the situation here that you need to block the client from a certain SSID, but not from the entire AP?

Hi Jeff,

we've a large deployment of ap and on each ap we've 2 SSID:

- voice

- data

The ssid data it's in use by old barcode reader that just support wep or no encryption. The trouble is that with wep the become very very slow so, waiting for the change of this devices i can just filter them on the ssid data.

On the voice I've several devices so i cannot manage a mac-filtering.

thaks

Luigi

Hi Luigi,

Sorry, I think I'm a little confused. What's your main goal here? To prevent your scanners from causing slowdown on the voice SSID?

Just to clarify, a client that causes slowdown does so for the entire AP, not just for clients on a specific SSID. So restricting your clients to the data SSID will not increase the speed on your Voice SSID.

If you want to restrict who is allowed on each SSID, the best way to do it is with the WEP keys themselves. Configure a different WEP key on each SSID, that way the scanners cannot associate to the voice SSID, and vice versa.

Finally, WEP itself shouldn't be causing slowdowns. Likely, the scanners are 802.11b clients, which is the root cause of the slowdown.

I hope that helps. Again, I'm not sure what exactly you want to do here, but I'm happy to help in whatever way I can.

Jeff

Review Cisco Networking for a $25 gift card