03-27-2003 12:17 PM - edited 07-04-2021 08:36 AM
Can someone point to some good information on setting up filters on the 1220 AP. I have read Chapter 5 of the Configuration Guide, but it is pretty much useless.
What I would like to be able to do it block all traffic but certain ports on one of the vlans on the AP. I know how do it with access-lists on the routers, but I am
trying to figure out to accomplish the same thing on the AP without adding every single port I want to block...for instance....
Only allow DHCP, DNS and HTTP traffic for users on a certain VLAN on the AP. I know how to apply it in the service sets, but actually setting it up is fuzzy. I have now problem reading for the solution, just can't find the correct document ot read.
Thanks
Don Hickey
03-27-2003 04:00 PM
Hi Don ,
http://www.cisco.com/univercd/cc/td/doc/product/wireless/airo_350/accsspts/ap350scg/ap350ch8.htm
http://www.cisco.com/univercd/cc/td/doc/product/wireless/airo_350/accsspts/ap350scg/ap350axb.htm
May be combination of above two url will help .
If you want to allow only DHCP , DNS , HTTP , ARP etc ...allow this udp port
here is example of blocking ipx traffic
step1 : Go under setup -> Ethertype filter
step2 : Say Set Name : BlockIPX and click on ADD NEW
step3 : Under Default Disposition we have two options forward and
block . By default it is forward .
Let is be default ( forward )
step4 : Under special cases , type 0x8137 and click on add new .
step5 : You will get new window with options -> Disposition , priority ,
Unicast Time-to-live , multicast Time-to-live , Alert
Under disposition select block . Remaining fields let it be default .
Repeate step 4 and 5 and add type 0x8138 , 0x00ff and 0x00e0
( In summary we need to block 0x8137 , 0x8138 , 0x00ff and
0x00e0 type filters )
step6 : With this we are done defining the "BLOCKIPX" filter .
Still we need to apply on the interface
go to Setup -> ethernet -> filters
You will see EtherType Receive and Forward side .
Apply the above filter and say OK .
Nilesh
03-27-2003 04:30 PM
Nilesh,
Thanks for the reply....Let me see if I have this correct in my mind...
Would I setup a ethertype filter to block TCP and UDP,etc then setup a port filter to allow the ports I would like to pass?
What I dont want to have to do is add tons of ports that I want to block.....You know how regular ACL's have a deny any at the end of it....
So far the documentation (and these forums) have got me through the authentication, per user vlans, and such. This is the last thing I am trying to nail down. I will have one of the vlans as a guest vlan that will only allow web and email traffic. I try this tomorrow....
Thanks again,
Don
03-28-2003 08:15 AM
You ever have the lightbulb just turn on in your head.
I am pretty sure I figured it out....
Setup the port filter for the default action of block and then configure the ports you want to forward....Duhhhh..
That is something that Cisco might want to add to their docs....
Thanks
Don
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: