Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

Autonomous Access Point ACL Filter Configuration

                             Autonomous Access Point ACL Filter Configuration


The below configurations will provide the info regarding the ACL configuration on the Autonomous APs which will be handy for more things!!


Configuring standard ACL
============================


You can use standard ACLs to allow or disallow the entry of client devices into the WLAN network based on the IP address of the client. Standard ACLs compare the source address of the IP packets to the addresses that are configured in the ACL in order to control traffic. This type of ACL can be referred to as a source IP address-based ACL.


en
conf t
access-list 10 deny host <ip addr of the client>
access-list 10 permit any


Ex-


en
conf t
access-list 10 deny host 192.168.10.1
access-list 10 permit any


Apply this to Interface..


Int dot11 0
ip access-group 25 in


Done!!


Similarly Standard Name ACLs
=============================


en
conf t
ip access-list standard <name>
deny host <ip addr>
permit any
exit


int dot11 0
ip access-group <name> in


Ex-


en
conf t
ip access-list standard test
deny host 192.168.10.1
permit any
exit


int dot11 0
ip access-group test in


EXTENDED ACLs on the AP
========================


Extended ACLs compare the source and destination addresses of the IP packets to the addresses that are configured in the ACL in order to control traffic. Extended ACLs also provide a means to filter traffic based on specific protocols. This provides a more granular control for the implementation of filters on a WLAN network.


Ex - Deny All traffic on AP and allow only DHCP.. (Can be Modified based on your needs and protocols)


en
conf t
ip access-list extended hi
permit udp any any eq bootpc
deny ip any any
exit


int dot11 0
ip access-group hi in


int dot11 0.X
ip access-group hi in


Int gig 0
ip access-group hi in


int gig 0.X
ip access-group hi in
end


DONE!!


Now TIME BASED ACL!!
===================


Time-based ACLs are ACLs that can be enabled or disabled for a specific period of time. This capability provides robustness and the flexibility to define access control policies that either permit or deny certain kinds of traffic.


This example illustrates how to configure a time-based ACL through the CLI, where Telnet connection is permitted from the inside to the outside network on weekdays during business hours:


Note: A time-based ACL can be defined either on the Fast Ethernet port or on the Radio port of the Aironet AP, based on your requirements. It is never applied on the Bridge Group Virtual Interface (BVI).


Ex shows to allow only telnet access to the AP between the time interval (Can be changed based on the needs)


en
conf t
time-range hi
period weekdays 9:00 to 19:00
ip access-list extended 111
permit tcp 192.168.10.0 0.0.0.255 172.16.1.0 0.0.0.255 eq telnet time-range hi
exit


int gig 0
ip address 192.168.10.1 255.255.255.0
ip access-group 101 in


DONE!!

Comments

keep it up Surendra 5+