Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

AP 1200 CLI mac filtering command not working for new Mac Address

I followed instruction on http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008058ed26.shtml#macbasedacls

to add a new mac address on Aironet ap1200.  Unfortunately, it failed. Initially we add Mac address thru web interface, but because it could only allow 43 entries, we decided to use CLI to add new Mac address to access-list 701 instead. Your advise would be truely appreciated. -thx mei

19 REPLIES
Cisco Employee

Re: AP 1200 CLI mac filtering command not working for new Mac Ad

Hi,

Lets copy the MAC filtering configuration to a note pad fro mthe CLI and then before the explicit deny statement, please add the MAC entry and now delete the MAC filter config on the AP and add the newly configured MAC filter which contains the newly added MAC..

This may help you!! coz there is some issues while adding the MAC addr after creating the MAC filter and applying.. i mean the MAC entry may sit after the deny and fail..

We need to re configure.. Let me know how this works out for you!! will be waiting for your response!!

Regards

Surendra

Community Member

Re: AP 1200 CLI mac filtering command not working for new Mac Ad

Actually, I did a permit instead deny for adding a new mac address. My question is why it didnt take effect for allowing the new mac coming thru?

Is there other steps that i missed? Is re-start the AP needed?

Cisco Employee

Re: AP 1200 CLI mac filtering command not working for new Mac Ad

There is a default implicit Deny statement in the bottom of the MAC filter.. when ever the MAC filter is modified.. the New MAC which is added moy not take affect.. i have faced the same problem in my lab as well.. So what i normally do is... Copy the MAC filter config on to Notepad then add the new MAC entry in the bottom beforew the implicit Deny and then i will paste this onto the CLI and save and then the MAC works.. Some how the newly addedd entry is not taking effect..

I request you to try this out and let me know how this works out for you!!

Regards

Surendra

Community Member

Re: AP 1200 CLI mac filtering command not working for new Mac Ad

Here's part of Mac filtering entries from running config:

access-list 701 permit 001d.e08d.1103   0000.0000.0000

access-list 701 permit 5c59.4835.3b96   0000.0000.0000

access-list 701 deny   0000.0000.0000   ffff.ffff.ffff

access-list 702 permit 001f.e10e.b444   0000.0000.0000

access-list 702 permit 78e4.0038.7e23   0000.0000.0000

access-list 702 permit 001b.7745.c586   0000.0000.0000

access-list 702 deny   0000.0000.0000   ffff.ffff.ffff

Should I delete all the red entries and then re-added new mac accresses with access-list "701"?

Cisco Employee

Re: AP 1200 CLI mac filtering command not working for new Mac Ad

I guess from the Part of the configuration.. if you try connecting the clients wit MAC  001f.e10e.b444  ,   78e4.0038.7e23   ,  001b.7745.c586  the are not able to connect..

am i correct??? Because i can see a Implicit Deny Before them... So let you config be like this..

access-list 701 permit 001d.e08d.1103   0000.0000.0000

access-list 701 permit 5c59.4835.3b96   0000.0000.0000

access-list 702 permit 001f.e10e.b444   0000.0000.0000

access-list 702 permit 78e4.0038.7e23   0000.0000.0000

access-list 702 permit 001b.7745.c586   0000.0000.0000

access-list 701 deny   0000.0000.0000   ffff.ffff.ffff

To make this happen.. You need to modify the configuration in a note pad in such a way that the RED ones comes before the Deny statement.. if you add the permit statement for MAC while configuring, this will come aftre the Deny and then another Deny will come in the Bottom. So the First Deny statement may be not allowing the further Allowed clients to connect..

Then try connecting.. let me know how this works out fore you!!

Regards

Surendra

Community Member

Re: AP 1200 CLI mac filtering command not working for new Mac Ad

You're corecct, none  of the mac addresses after "deny" entry able to come thru.

Thx for point  this out. I will try it and give you the result on Monday.

Community Member

Re: AP 1200 CLI mac filtering command not working for new Mac Ad

so i telnet to the AP.where is the mac-filer file?  Do you mean running config-config file?

all i saw files are: #dir

Directory of flash:/

    2  -rwx         209  Feb 28 2002 16:00:07 -08:00  env_vars

    3  -rwx        1048  Oct 16 2002 16:25:28 -07:00  private-multiple-fs

    4  -rwx        8174  Oct 15 2002 16:23:06 -07:00  startup-config.bk

    6  drwx         512  Jun 14 2006 01:50:29 -07:00  c1200-k9w7-mx.123-8.JA2

  158  -rwx        8047  Oct 07 2002 15:48:02 -07:00  lumiwap2-confg

  159  -rwx          27  Oct 16 2002 16:25:28 -07:00  private-config

  160  -rwx        8229  Oct 15 2002 16:25:36 -07:00  running-config-bk10282010

  161  -rwx        8229  Oct 16 2002 16:25:28 -07:00  config.txt

Do you mind give me more detail steps?

Cisco Employee

Re: AP 1200 CLI mac filtering command not working for new Mac Ad

The MAC filter is not a explicit file... This is part of the configuration.. So u need to delete the Access-list 701 config in the AP configuration.. i guess the command is..

No access-list 701.. Not sure.. please verify in Configuration Guide.. then reconfigure the MAC filter Access-list and then let me know how this works out for you!!

Regards

Surendra

Community Member

Re: AP 1200 CLI mac filtering command not working for new Mac Ad

my question now is: How do I edit the acess-list 70x in an efficient way? I have at least 43 Mac address currently. Do  I de-associate(no access-list 701) and re create new access-list 70x with 43+ mac addresses every time I am adding a new mac address? When you mentioned using editor, what do u use? I thought the access-list eintries could only added thru command line.

Cisco Employee

Re: AP 1200 CLI mac filtering command not working for new Mac Ad

yes.. there is a limitation using CLI as well... i am filing a bug for this.. however.. to answer your question.. we need to copy all the MAC filter statements on to the note pad.. we need to make sure no permit command will come after implicit Deny.. then remove the access-list configuration on the AP by isseing the command "no acess-list #" then copy the modified MAC list which is der in the notepad to the AP CLI... this works.. I am filing a bug to fine tune this feature and may be in next release this will be fixed..

Regards

Surendra

Community Member

Re: AP 1200 CLI mac filtering command not working for new Mac Ad

Surendra,

    Thank you for your time and helpful answers.  However, since the AP is in production, I will need aslo a backup plan in case of failure.

If the new list didnt work, could i still re-associate access-list 701 back?

Here's plan to recreate new list 703, Does it look ok to you?

#config term

AP#no access-list 701

AO#access-list  703 permit 001d.e08d.1103   0000.0000.0000

.

.                                     all the entries from access-list 701(43+ entries)

.

Ap#access-list  703 permit 5c59.4835.3b96   0000.0000.0000

AP#access-list  703 deny   0000.0000.0000   ffff.ffff.ffff

AP# dot11 association mac-list  703

AP# dot11 association mac-list  701 (in case of failure, fall back to access-list 70)

Community Member

Re: AP 1200 CLI mac filtering command not working for new Mac Ad

2nd thought.. I should re-create the list 703 first and then No access-list 701 and then

dot11 association mac-list  703 to minimize downtime. Will that work?

Cisco Employee

Re: AP 1200 CLI mac filtering command not working for new Mac Ad

Hi Mei,

Just now i tried this out in my LAB and its working!! You can try implement.. No problem!!

Let me know how this works out for you!!

Regards

Surendra

Community Member

Re: AP 1200 CLI mac filtering command not working for new Mac Ad

Thank you for testing it on your end. This is first time i tried cisco support forum and I am very impressed with your technical expertise and great support.

I will deploying the new list next Friday and will let you know the result. Again many thx. -Mei

Cisco Employee

Re: AP 1200 CLI mac filtering command not working for new Mac Ad

Thank u

It is my pleasure asisating you!!

Let me know how this works out for you..

Regards

Surendra

Community Member

Re: AP 1200 CLI mac filtering command not working for new Mac Ad

new list works great. thx so much for your help.

Please let me know when the new release is available. It's kinda troublesome having to recreate a whole new list in order to add/delete a mac address.

Cisco Employee

Re: AP 1200 CLI mac filtering command not working for new Mac Ad

Thanks for the response!! its nice to hear that the issue is resolved ans the transition was smooth..

I have a thought.. by default there will be a implicit deny.. so dont configure the command "access-list 700 deny/ permit 0000.0000.0000 ffff.ffff.ffff" and try connecting a client which doesnt have the MAC address in the MAC table.. i think the client will not connect. so no need to configure the statement "access-list 700 deny/ permit 0000.0000.0000 ffff.ffff.ffff". could you please try once?? i tried it out in my LAB and it worked!!

Regards

Surendra

Community Member

Re: AP 1200 CLI mac filtering command not working for new Mac Ad

Surendra,

     I took out the very last deny all entry and it worked. Thank you so much. Now i can modify Mac address changes without recreating a new whole list.

Mei

Cisco Employee

Re: AP 1200 CLI mac filtering command not working for new Mac Ad

Thank you for trying it out!! have a grea tday!!

Regards

Surendra

2273
Views
0
Helpful
19
Replies
CreatePlease to create content