ACL on IOS AP


It’s possible to no only have authentication on your AP, but also some kind of filters (ACL’s) to have a more secured environment.
There are different kind of ACL’s :
Standard : Standard ACL do have a number from 1 to 99.

access-list 10 deny host 10.10.10.10
! Deny host 10.10.10.10 to access the network completely.
access-list 10 permit any
! The rest of the devices may connect.

int dot11Radio 0
ip access-group 10 in

! The access-list should be connected to an interface. This can be inbound or outbound.

You can also name an access-list :
ip access-list standard LAB
deny host 10.10.10.10
permit any

And bind this Access-list to the interface. (In or outbound.)

There are also Extended-Access lists :
Extended : They are numbered from 100 – 199 and you can control it on port level

access-list 101 permit tcp any any eq telnet
access-list 101 deny ip any any
access-list 101 permit tcp host 10.10.10.10 any eq www

This access list is NOT going to work. Noticed the deny ip any any rule before the permit www.

MAC Based : Use the range 700 – 799.
access-list 700 permit 0000.1111.2222 0000.0000.0000
! The 0000.0000.0000 is the “wildmask”

To use this access-list you can globally use the command.
dot11 association mac-list 700
or bind it to an subinterface : (Radio and/or FastEthernet)
bridge-group 1 input-address-list 701

All of there ACL’s can be TimeBased :
First you define the time between the ACL is active :

time-range LABTIME
periodic weekdays 6:00 to 23:00
periodic Sunday 7:00 to 22:00

And you add this to the ACL :
access-list 101 per tcp any any eq telnet time-range LABTIME

About Joost van der Made

Me

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: