Re: Mac-Filtering with FlexConnect

awatson20 · ‎02-20-2014

I have AP's in Flexconnect Mode doing local switching, central auth. For a particular WLAN, we are using mac-filtering. When creating the local mac filter, should we select none under interface name where you would normally map the interface for the mac-address entry since the clients are local switched? Or does this matter?

Scott Fella · ‎02-20-2014

Mac-filtering isn't supported on FlexConnect local switching, only on central switching and local mode AP's.

Thanks,

Scott

*****Help out other by using the rating system and marking answered questions as "Answered"*****

-Scott
*** Please rate helpful posts ***

Scott Fella · ‎02-20-2014

Here is a link:

http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/112042-technote-product-00.html#anc7

Thanks,

Scott

*****Help out other by using the rating system and marking answered questions as "Answered"*****

-Scott
*** Please rate helpful posts ***

awatson20 · ‎02-20-2014

Thanks Scott. Please correct me if I'm wrong, but according to that doc Mac filtering is supported with flexconnect local switching, not local auth. Am I reading this incorrectly?

Sent from Cisco Technical Support iPhone App

Scott Fella · ‎02-20-2014

Yes that is correct.... so keep that in mind if the ap's goes into stand alone. Mac-filtering is done the same way as local mode AP's.... you enter the mac address and the choose the wlan... interface doesn't matter for flexconnect.

Thanks,

Scott

*****Help out other by using the rating system and marking answered questions as "Answered"*****

-Scott
*** Please rate helpful posts ***

Scott Fella · ‎02-20-2014

What is the purpose you want to use mac-filtering?

Thanks,

Scott

*****Help out other by using the rating system and marking answered questions as "Answered"*****

-Scott
*** Please rate helpful posts ***

awatson20 · ‎02-20-2014

It has to do with these particular clients and the lack of supporting 802.1X. I understand mac-filtering is not very secure.

Although it appears to be working, I had my doubts because the clients were just showing 0.0.0.0 for ip address. We have the "learn client IP address checked" under the wlan, but I cannot see the IP address.

Scott Fella · ‎02-20-2014

Yeah.... there are limitations to what the WLC has visibility to.... only when traffic comes back to the WLC, will the WLC have that information. Take a look at the client statistics from the monitor tab and compare that to a client that is connected to a local mode AP or an ssid that is centrally switched. As long as you only see the clients you allow on the WLAN, then your good.

Thanks,

Scott

*****Help out other by using the rating system and marking answered questions as "Answered"*****

-Scott
*** Please rate helpful posts ***

Paul O'Brien · ‎03-14-2014

I'm also having trouible applying MAC Filtering to a locally switched/centrally authourised WLAN

We are using WPA2 with dot1x AKM. It works fine until I enable MAC Filtering

In the MAC Filter I have tried using None/management/<Dynamic Interface> and none of these work

Is there a chance the AP is using local auth even though it can see the WLCs?