Aironet 1141 with WPA2 and MAC Filter Problem

Answered Question
May 19th, 2012

Hello everybody,

I have an aironet 1141 with multiple vlans configured, all with wpa2 but I need to put mac filter on only one vlan, so I follow this manual:

http://www.cisco.com/en/US/docs/wireless/access_point/12.4_21a_JA1/configuration/guide/scg12421aJA1-chap16-filters.html#wp1034897

Basically is mac a ACL and applied to sub interface.

So, I can associate to the AP, but no one can transmit or receive .

If i remove the ACL all works fine.

My config:

access-list 700 permit <maclist>   0000.0000.0000

access-list 700 deny   0000.0000.0000   ffff.ffff.ffff

interface Dot11Radio0.130

encapsulation dot1Q 130

no ip route-cache

bridge-group 130

bridge-group 130 subscriber-loop-control

bridge-group 130 input-address-list 700

bridge-group 130 output-address-list 700

bridge-group 130 port-protected

bridge-group 130 block-unknown-source

no bridge-group 130 source-learning

no bridge-group 130 unicast-flooding

bridge-group 130 spanning-disabled

I have this problem too.
0 votes
Correct Answer by maldehne about 1 year 10 months ago

In the output-address-list you should use another ACL with the same allowed mac list plus ffff.ffff.ffff 0.0.0.0 to forward packets with destination mac address as broadcast.

try and let me know how it goes

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
maldehne Sun, 05/20/2012 - 05:46

well well

The configuration looks fine.

Let me add something to your grasp of the feature

Simply once you have applied the list under the sub-interface representing that particular ssid , MAC address that are not permitted wont be able to get an ip address upon connecting to the certain ssid ( simply blocked ).

So denied MACs shouldn't work with that ssid, what i am not getting , do you mean even allowed clients are not able to forward traffic? I don't think it should be the case cause the config under the subinterface looks unless you have missed up with something elsewhere.

One more thing are you trying to test traffic forwarding by trying to have clients permitted and connected to the same ssid pinging each others? If so , depending on what you have added it shouldn't work even at normal situations because you have the magic word "port-protected". If that is the case remove it and see how it goes.

------------------------------------------------------------

Please make sure to rate correct answers

AlanDaniel Mon, 05/21/2012 - 12:52

Ok, good news;

Works if I use static IP

thanks.

One question more, Can I use DHCP Server even with the ACL applied?  this is possible? I assume that the ACL block the DHCP

best regards

AlanDaniel Mon, 05/21/2012 - 14:49

Ok, If I use static IP all works, the problem comes when I try to use DHCP, I  assume that the ACL block the DHCP so, someway to pass the DHCP traffic?

Best regards for your help

Correct Answer
maldehne Mon, 05/21/2012 - 20:16

In the output-address-list you should use another ACL with the same allowed mac list plus ffff.ffff.ffff 0.0.0.0 to forward packets with destination mac address as broadcast.

try and let me know how it goes

AlanDaniel Wed, 05/23/2012 - 08:17

Works thanks,

One question.

Why not apply the same ACL to input and output?

maldehne Wed, 05/23/2012 - 23:17

aha great.

Why ? it is very simple

we should understand the main idea behnid input and output ACL in this context. It is not about direction it is about the source and destination addresses.

When we say input , the filteration is done on source address

when we say output, the filteration is done on destination address

since DHCP messages either destined to unicast or broadcast mac address

we have to add the ffff......... to the list on the output direction but not the input cause

we want have as source at all.

Enjoy

Actions

Login or Register to take actions

This Discussion

Posted May 19, 2012 at 11:18 AM
Stats:
Replies:8 Avg. Rating:5
Views:1303 Votes:0
Shares:0
Tags: mac, 1140, facl
+

Related Content

Discussions Leaderboard