There are 3 types of filters can be configured on Autonomous AP.
1. MAC Address Filters
2. IP Filters
3. Ethertype Filters
Will test few of these filter types by using below topology.
First will see how to configure an IP filter. Here are the conditions. Clients on WLAN-data3 should only be permitted to CME-10.10.205.20 address via telnet. Deny any other IP traffic & ICMP traffic to this CME IP from wireless clients.
ip access-list extended IPF deny icmp 10.10.14.0 0.0.0.255 host 10.10.205.20 permit tcp 10.10.14.0 0.0.0.255 host 10.10.205.20 eq telnet deny ip 10.10.14.0 0.0.0.255 host 10.10.205.20 permit ip any any
Then you need to apply this IP filter. Filters can be applied per VLAN & either 2.4GHz (Radio 0) , 5 GHz (Radio 1) or Ethernet interfaces in either directions (incoming or outgoing). In this example will apply this on both Radios incoming directions as traffic is sourcing from wireless clients.
interface Dot11Radio1.14 ip access-group IPF in
Finally you can verify from your wireless client
## First you need to verify your Client IP & ensure it is data3 WLAN ## Wireless LAN adapter Wireless Network Connection: Connection-specific DNS Suffix . : mrn.com IPv4 Address. . . . . . . . . . . : 10.10.14.51 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 10.10.14.1 ! ## You can verify that you cannot ping CME, but can ping other IPs ## Pinging 10.10.205.20 with 32 bytes of data: Request timed out. Request timed out. Request timed out. Request timed out. Ping statistics for 10.10.205.20: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), ! Pinging 192.168.1.100 with 32 bytes of data: Reply from 192.168.1.100: bytes=32 time=2ms TTL=125 Reply from 192.168.1.100: bytes=32 time=2ms TTL=125 Reply from 192.168.1.100: bytes=32 time=2ms TTL=125 Reply from 192.168.1.100: bytes=32 time=2ms TTL=125 Ping statistics for 192.168.1.100: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 2ms, Maximum = 2ms, Average = 2ms ! ## You can verify you can telnet to CME router from your cliennt ## C:\Users\rnayanajith>telnet 10.10.205.20 CME>en Password: CME# CME#sh users Line User Host(s) Idle Location * 98 vty 0 idle 00:00:00 10.10.14.51
Keep in mind if you are doing this via GUI, you cannot customize IP protocols, TCP/UDP port based filters to specific source & destinations. You have to use CLI to do that as shown above.
We can customize this further if you want to apply this on time based. First you have to create a time range & then you need to use it when defining ACL entries. For example will configure the above telnet permission to CME router is during weekends between 14:45 to 15:15 hrs. (Timing simply because I can test this easily)
time-range WEEKEND-HALF periodic weekend 14:45 to 15:15 ! ip access-list extended IPF deny icmp 10.10.14.0 0.0.0.255 host 10.10.205.20 permit tcp 10.10.14.0 0.0.0.255 host 10.10.205.20 eq telnet time-range WEEKEND-HALF deny ip 10.10.14.0 0.0.0.255 host 10.10.205.20 permit ip any any
You can verify this by telnet to CME within this time range & outside this time range. You should not be able to telnet outside time range (as shown below)
C:\Users\rnayanajith>telnet 10.10.205.20 CME>en Password: CME# CME#sh user Line User Host(s) Idle Location * 98 vty 0 idle 00:00:00 10.10.14.51 CME#sh clock 15:13:13.808 AEDT Sat Mar 9 2013 CME# CME#sh clock 15:15:20.090 AEDT Sat Mar 9 2013 CME#exit Connection to host lost. C:\Users\rnayanajith>telnet 10.10.205.20 Connecting To 10.10.205.20...Could not open connection to the host, on port 23: Connect failed
Then we will look at MAC Filtering where you can allow/restrict permissions based on MAC addresses.MAC filtering can be used to block/permit certain wireless client traffic based on their MAC address.
I will used my iPhone (04f7.e4ea.5b66) to join to this WLAN. I have got 10.10.14.52 IP address.
Now we will configure MAC filter to block traffic go to this iPhone.
access-list 700 deny 04f7.e4ea.5b66 0000.0000.0000
access-list 700 permit 0000.0000.0000 ffff.ffff.ffff
!
interface Dot11Radio1
l2-filter bridge-group-acl
!
interface Dot11Radio1.14
bridge-group 14 input-address-list 700
bridge-group 14 output-address-list 700
Before apply this to Radio1.14 interface we will put a continous ping to the 10.10.14.53 IP from wireless Laptop & CME router. By applying to either direction traffic destine to this MAC address & traffic source from this MAC address get blocked at the interface level. If not any uni-directional traffic can flow where bi-directional traffic get blocked. Below show the out put of wireless laptop ping traffic.
C:\Users\rnayanajith>ping 10.10.14.53 -t Pinging 10.10.14.53 with 32 bytes of data: Reply from 10.10.14.53: bytes=32 time=46ms TTL=64 Reply from 10.10.14.53: bytes=32 time=88ms TTL=64 Reply from 10.10.14.53: bytes=32 time=132ms TTL=64 Reply from 10.10.14.53: bytes=32 time=68ms TTL=64 Reply from 10.10.14.53: bytes=32 time=112ms TTL=64 Reply from 10.10.14.53: bytes=32 time=49ms TTL=64 Reply from 10.10.14.53: bytes=32 time=2ms TTL=64 Reply from 10.10.14.53: bytes=32 time=135ms TTL=64 Reply from 10.10.14.53: bytes=32 time=72ms TTL=64 Reply from 10.10.14.53: bytes=32 time=114ms TTL=64 Request timed out. Request timed out. Request timed out. Request timed out.
Immediately after you apply the MAC filter on radio interfaces you can see traffic get blocked to my iPhone.
You can use MAC address ACL to block or allow association to the AP instead of filtering traffic across the interface. You can use “dot11 association access-list <700-799> ” command to apply Association ACL to the AP. If you check the dot11 association you can see my iPhone is associated to AP even though unable to get proper IP via DHCP (as traffic blocked)
AAP2(config-subif)#do sh dot11 asso
802.11 Client Stations on Dot11Radio1:
SSID [data3] :
MAC Address IP address Device Name Parent State
04f7.e4ea.5b66 0.0.0.0 unknown - self EAP-Assoc
a088.b435.c2f0 10.10.14.51 ccx-client AAP2 self EAP-Assoc
Will apply MAC ACL to block association as well. Once you applied you can verify device is no longer able to associated. See below
AAP2(config)#do sh dot11 asso 802.11 Client Stations on Dot11Radio1: SSID [data3] : MAC Address IP address Device Name Parent State 04f7.e4ea.5b66 0.0.0.0 unknown - self EAP-Assoc a088.b435.c2f0 10.10.14.51 ccx-client AAP2 self EAP-Assoc AAP2(config)#dot11 association mac-list 700 Mar 9 05:42:40.098: %DOT11-6-DISASSOC: Interface Dot11Radio1, Deauthenticating Station 04f7.e4ea.5b66 Mar 9 05:42:40.098: %DOT11-6-DISASSOC: Interface Dot11Radio1, Deauthenticating Station a088.b435.c2f0 Mar 9 05:42:40.110: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset Mar 9 05:42:40.118: %DOT11-4-MAXRETRIES: Packet to client a088.b435.c2f0 reached max retries, removing the client Mar 9 05:42:40.122: %LINK-3-UPDOWN: Interface Dot11Radio1, changed state to up Mar 9 05:42:40.578: %DOT11-6-ASSOC: Interface Dot11Radio1, Station AAP2 a088.b435.c2f0 Associated KEY_MGMT[WPAv2] AAP2(config)#do sh dot11 asso 802.11 Client Stations on Dot11Radio1: SSID [data3] : MAC Address IP address Device Name Parent State a088.b435.c2f0 10.10.14.51 ccx-client AAP2 self EAP-Assoc
You can go through Ether-type filters configurations as per the configuration guide. (Configuring Ethertype Filters)
Related Posts
1. Autonomous AP with WEP Security
2. Autonomous AP with WPA-PSK Security
3. Autonomous AP as Local Radius Server
4. Autonomous AP with LEAP Security
5 Autonomous AP with EAP-FAST Security
6 Autonomous AP with EAP-TLS Security
7.
8.
9. Autonomous AP – QoS
mrn-cciew 
Hi, I have a cuestion.
We have a long access-list 701, how can I add a new mac addres to block or permit ?? we need to negate the dot11 access-list 701 and write again with the changes ??
Yes, modify it in notepad and the remove ACL and reapply.
thanks mate
Hello, Very nice topic and very helpful for me. I have configured my access point like this. Please also find the under mentioned link for MAC Filtering thorugh WLC.
https://aqlearningcenter.blogspot.com/2018/09/how-to-configure-cisco-WLC-Mac-Filtering.html