gamccall Tue, 11/25/2008 - 17:59
User Badges:
  • Silver, 250 points or more

Guy walks into a bar, wearing a nametag that says "Joe Smith". Bouncer checks his list that says "Don't let Joe Smith in!" and kicks him out.

Joe gets a pen and scrawls an "e" at the end of Smith, so that his nametag now says "Joe Smithe", and turns around and walks right back into the bar. Bouncer checks his list again and says "you're good, have a great time!"

MAC addresses are trivially easy to spoof. And since mac addresses are sent in the clear in 802.11 packets, it's trivially easy to sniff for a valid one.

With that said, if you're sure you want to implement mac filters on your IOS AP, here's how:

access-list 700 deny 0123.4567.89ab 0000.0000.0000

access-list 700 permit any


dot11 association mac-list 700

(or, use your ACL to permit the allowed macs and then deny any, whichever way you want to do it.)


This Discussion