Restricting Types of devices on a Wireless SSID

Unanswered Question
Apr 18th, 2008
User Badges:

I have a situation where I have wireless phones and Access access points that need to get DHCP and that reside on the same VLAN. I also have laptop devices that were improperly configured for the same SSID/VLAN. I would like to implement something that will allow the Phones and AP's to continue working on the VLAN but restrict the traffic from all other devices connected to that SSID, thus forcing the PC Technicians responsible for the laptops to reconfigure them properly. I know the MAC addresses of the phones and AP's.

MACs that I want to allow:

Prefix 00:90:7a:

Prefix 00:0c:e6:

I do not want any other source MAC addresses to be able to pass through the router interface to reach the DHCP server.

Thanks in advance for your suggestions.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
carl_j_meza Sat, 04/19/2008 - 04:44
User Badges:


If your AP is a IOS based AP, you can apply an ACL that will only allow those to MAC prefixes, explicitely deny everything else..

access-list 700 permit 0090.7a00.0000 0000.00ff.ffff

access-list 700 permit 000c.e600.0000 0000.00ff.ffff

dot11 association mac-list 700

p-blake Sat, 04/19/2008 - 08:20
User Badges:

The AP's are from Meru 000c.e6 and the Phones are Spectralink 0090.7a. Could I just apply the ACL to the port that the wireless controller connects to block any L2 traffic coming out of the cocntroller?


carl_j_meza Sat, 04/19/2008 - 08:48
User Badges:

Depends on the switch and it's capabilities. If it is a Cisco switch, you could try using 'mac access-list extended ' and apply a 'mac access-group ...' to the port.

p-blake Sat, 04/19/2008 - 10:05
User Badges:

The switch is a cisco 4507. The port is a trunk port though. Can I apply the access list to an individual VLAN on that trunk port? If not can I apply the access list to the router interface of the VLAN that I want to filter the MACs on?

Thanks for the assistance.


This Discussion