MAC Access list on Autonomous AP.


Sometimes you want to have an AP working as a bridge and you don’t want every other AP connected to this bridge. Only a specific one.

This is possible with a MAC-Access list.

On the Root bridge you configure an access list :
access-list 700 permit 0021.d790.fba0 0000.0000.0000
Accesslist 700 – 799 are for MAC.
The mac is the mac of the non-root bridge who are gonna have access to the root bridge.
To discover the MAC, you’ll do a
AP5#sh contr d0
!
interface Dot11Radio0
Radio AIR-AP1242GR, Base Address 0021.d790.fba0

To be very, very sure, you can first authenticate the non-root to the root bridge and then at the root bridge :
BR1#sh dot11 ass all
Address : 0021.d790.fba0 Name : AP5

The 0000.0000.0000 is the wildmask of the access-list. In this case the whole MAC should be exactly the same.

Okay… We got an access list.. Now we need to configure the dot11 association to use the access-list :
BR1(config)#dot11 association mac-list 700

And that is it.
If it’s the correct mac, the non-root will still be able to connect to the root.
You can change the mac of the access-list and see if the non-root will make a connection or not…

If the MAC is not the same as the non-root you’ll see :
*Mar 1 00:11:34.842: %DOT11-4-CANT_ASSOC: Interface Dot11Radio0, cannot associate: No Response
at the root bridge.

Here’s a nice link at the Cisco Site :
Access Point ACL Filter Configuration Example

Tags: , , , ,

About Joost van der Made

Me

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: