Actually, I did a permit instead deny for adding a new mac address. My question is why it didnt take effect for allowing the new mac coming thru?

Is there other steps that i missed? Is re-start the AP needed?

There is a default implicit Deny statement in the bottom of the MAC filter.. when ever the MAC filter is modified.. the New MAC which is added moy not take affect.. i have faced the same problem in my lab as well.. So what i normally do is... Copy the MAC filter config on to Notepad then add the new MAC entry in the bottom beforew the implicit Deny and then i will paste this onto the CLI and save and then the MAC works.. Some how the newly addedd entry is not taking effect..

I request you to try this out and let me know how this works out for you!!

Regards

Surendra

Here's part of Mac filtering entries from running config:

access-list 701 permit 001d.e08d.1103   0000.0000.0000

access-list 701 permit 5c59.4835.3b96   0000.0000.0000

access-list 701 deny   0000.0000.0000   ffff.ffff.ffff

access-list 702 permit 001f.e10e.b444   0000.0000.0000

access-list 702 permit 78e4.0038.7e23   0000.0000.0000

access-list 702 permit 001b.7745.c586   0000.0000.0000

access-list 702 deny   0000.0000.0000   ffff.ffff.ffff

Should I delete all the red entries and then re-added new mac accresses with access-list "701"?

I guess from the Part of the configuration.. if you try connecting the clients wit MAC  001f.e10e.b444  ,   78e4.0038.7e23   ,  001b.7745.c586  the are not able to connect..

am i correct??? Because i can see a Implicit Deny Before them... So let you config be like this..

access-list 701 permit 001d.e08d.1103   0000.0000.0000

access-list 701 permit 5c59.4835.3b96   0000.0000.0000

access-list 702 permit 001f.e10e.b444   0000.0000.0000

access-list 702 permit 78e4.0038.7e23   0000.0000.0000

access-list 702 permit 001b.7745.c586   0000.0000.0000

access-list 701 deny   0000.0000.0000   ffff.ffff.ffff

To make this happen.. You need to modify the configuration in a note pad in such a way that the RED ones comes before the Deny statement.. if you add the permit statement for MAC while configuring, this will come aftre the Deny and then another Deny will come in the Bottom. So the First Deny statement may be not allowing the further Allowed clients to connect..

Then try connecting.. let me know how this works out fore you!!

Regards

Surendra

You're corecct, none  of the mac addresses after "deny" entry able to come thru.

Thx for point  this out. I will try it and give you the result on Monday.

so i telnet to the AP.where is the mac-filer file?  Do you mean running config-config file?

all i saw files are: #dir

Directory of flash:/

    2  -rwx         209  Feb 28 2002 16:00:07 -08:00  env_vars

    3  -rwx        1048  Oct 16 2002 16:25:28 -07:00  private-multiple-fs

    4  -rwx        8174  Oct 15 2002 16:23:06 -07:00  startup-config.bk

    6  drwx         512  Jun 14 2006 01:50:29 -07:00  c1200-k9w7-mx.123-8.JA2

  158  -rwx        8047  Oct 07 2002 15:48:02 -07:00  lumiwap2-confg

  159  -rwx          27  Oct 16 2002 16:25:28 -07:00  private-config

  160  -rwx        8229  Oct 15 2002 16:25:36 -07:00  running-config-bk10282010

  161  -rwx        8229  Oct 16 2002 16:25:28 -07:00  config.txt

Do you mind give me more detail steps?

The MAC filter is not a explicit file... This is part of the configuration.. So u need to delete the Access-list 701 config in the AP configuration.. i guess the command is..

No access-list 701.. Not sure.. please verify in Configuration Guide.. then reconfigure the MAC filter Access-list and then let me know how this works out for you!!

Regards

Surendra

my question now is: How do I edit the acess-list 70x in an efficient way? I have at least 43 Mac address currently. Do  I de-associate(no access-list 701) and re create new access-list 70x with 43+ mac addresses every time I am adding a new mac address? When you mentioned using editor, what do u use? I thought the access-list eintries could only added thru command line.

yes.. there is a limitation using CLI as well... i am filing a bug for this.. however.. to answer your question.. we need to copy all the MAC filter statements on to the note pad.. we need to make sure no permit command will come after implicit Deny.. then remove the access-list configuration on the AP by isseing the command "no acess-list #" then copy the modified MAC list which is der in the notepad to the AP CLI... this works.. I am filing a bug to fine tune this feature and may be in next release this will be fixed..

Regards

Surendra

Surendra,

    Thank you for your time and helpful answers.  However, since the AP is in production, I will need aslo a backup plan in case of failure.

If the new list didnt work, could i still re-associate access-list 701 back?

Here's plan to recreate new list 703, Does it look ok to you?

#config term

AP#no access-list 701

AO#access-list  703 permit 001d.e08d.1103   0000.0000.0000

.

.                                     all the entries from access-list 701(43+ entries)

.

Ap#access-list  703 permit 5c59.4835.3b96   0000.0000.0000

AP#access-list  703 deny   0000.0000.0000   ffff.ffff.ffff

AP# dot11 association mac-list  703

AP# dot11 association mac-list  701 (in case of failure, fall back to access-list 70)

2nd thought.. I should re-create the list 703 first and then No access-list 701 and then

dot11 association mac-list  703 to minimize downtime. Will that work?

Hi Mei,

Just now i tried this out in my LAB and its working!! You can try implement.. No problem!!

Let me know how this works out for you!!

Regards

Surendra

Thank you for testing it on your end. This is first time i tried cisco support forum and I am very impressed with your technical expertise and great support.

I will deploying the new list next Friday and will let you know the result. Again many thx. -Mei