I have an aironet 1141 with multiple vlans configured, all with wpa2 but I need to put mac filter on only one vlan, so I follow this manual:
Basically is mac a ACL and applied to sub interface.
So, I can associate to the AP, but no one can transmit or receive .
If i remove the ACL all works fine.
access-list 700 permit <maclist> 0000.0000.0000
access-list 700 deny 0000.0000.0000 ffff.ffff.ffff
encapsulation dot1Q 130
no ip route-cache
bridge-group 130 subscriber-loop-control
bridge-group 130 input-address-list 700
bridge-group 130 output-address-list 700
bridge-group 130 port-protected
bridge-group 130 block-unknown-source
no bridge-group 130 source-learning
no bridge-group 130 unicast-flooding
bridge-group 130 spanning-disabled
Solved! Go to Solution.
The configuration looks fine.
Let me add something to your grasp of the feature
Simply once you have applied the list under the sub-interface representing that particular ssid , MAC address that are not permitted wont be able to get an ip address upon connecting to the certain ssid ( simply blocked ).
So denied MACs shouldn't work with that ssid, what i am not getting , do you mean even allowed clients are not able to forward traffic? I don't think it should be the case cause the config under the subinterface looks unless you have missed up with something elsewhere.
One more thing are you trying to test traffic forwarding by trying to have clients permitted and connected to the same ssid pinging each others? If so , depending on what you have added it shouldn't work even at normal situations because you have the magic word "port-protected". If that is the case remove it and see how it goes.
Please make sure to rate correct answers
Ok, good news;
Works if I use static IP
One question more, Can I use DHCP Server even with the ACL applied? this is possible? I assume that the ACL block the DHCP
Ok, If I use static IP all works, the problem comes when I try to use DHCP, I assume that the ACL block the DHCP so, someway to pass the DHCP traffic?
Best regards for your help
Why ? it is very simple
we should understand the main idea behnid input and output ACL in this context. It is not about direction it is about the source and destination addresses.
When we say input , the filteration is done on source address
when we say output, the filteration is done on destination address
since DHCP messages either destined to unicast or broadcast mac address
we have to add the ffff......... to the list on the output direction but not the input cause
we want have as source at all.