MAC Access list on Autonomous AP.
Sometimes you want to have an AP working as a bridge and you don’t want every other AP connected to this bridge. Only a specific one.
This is possible with a MAC-Access list.
On the Root bridge you configure an access list :
access-list 700 permit 0021.d790.fba0 0000.0000.0000
Accesslist 700 – 799 are for MAC.
The mac is the mac of the non-root bridge who are gonna have access to the root bridge.
To discover the MAC, you’ll do a
AP5#sh contr d0
Radio AIR-AP1242GR, Base Address 0021.d790.fba0
To be very, very sure, you can first authenticate the non-root to the root bridge and then at the root bridge :
BR1#sh dot11 ass all
Address : 0021.d790.fba0 Name : AP5
The 0000.0000.0000 is the wildmask of the access-list. In this case the whole MAC should be exactly the same.
Okay… We got an access list.. Now we need to configure the dot11 association to use the access-list :
BR1(config)#dot11 association mac-list 700
And that is it.
If it’s the correct mac, the non-root will still be able to connect to the root.
You can change the mac of the access-list and see if the non-root will make a connection or not…
If the MAC is not the same as the non-root you’ll see :
*Mar 1 00:11:34.842: %DOT11-4-CANT_ASSOC: Interface Dot11Radio0, cannot associate: No Response
at the root bridge.
Here’s a nice link at the Cisco Site :
Access Point ACL Filter Configuration Example