cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
476
Views
0
Helpful
5
Replies

Restricting Types of devices on a Wireless SSID

p-blake
Level 1
Level 1

I have a situation where I have wireless phones and Access access points that need to get DHCP and that reside on the same VLAN. I also have laptop devices that were improperly configured for the same SSID/VLAN. I would like to implement something that will allow the Phones and AP's to continue working on the VLAN but restrict the traffic from all other devices connected to that SSID, thus forcing the PC Technicians responsible for the laptops to reconfigure them properly. I know the MAC addresses of the phones and AP's.

MACs that I want to allow:

Prefix 00:90:7a:

Prefix 00:0c:e6:

I do not want any other source MAC addresses to be able to pass through the router interface to reach the DHCP server.

Thanks in advance for your suggestions.

5 Replies 5

Istvan_Rabai
Level 7
Level 7

Hi Paul,

I believe you need 802.1x layer2 security for client authentication.

Look at this url:

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml

On the Cisco website you can find a lot of links about this, if you search for WLC and 802.1x together.

Cheers:

Istvan

carl_j_meza
Level 1
Level 1

Hello,

If your AP is a IOS based AP, you can apply an ACL that will only allow those to MAC prefixes, explicitely deny everything else..

access-list 700 permit 0090.7a00.0000 0000.00ff.ffff

access-list 700 permit 000c.e600.0000 0000.00ff.ffff

dot11 association mac-list 700

The AP's are from Meru 000c.e6 and the Phones are Spectralink 0090.7a. Could I just apply the ACL to the port that the wireless controller connects to block any L2 traffic coming out of the cocntroller?

Thanks..

Depends on the switch and it's capabilities. If it is a Cisco switch, you could try using 'mac access-list extended ' and apply a 'mac access-group ...' to the port.

The switch is a cisco 4507. The port is a trunk port though. Can I apply the access list to an individual VLAN on that trunk port? If not can I apply the access list to the router interface of the VLAN that I want to filter the MACs on?

Thanks for the assistance.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: