Cisco AP – ACLs

This post contains short notes about configuring ACLs on Cisco Aironet AP.

In these examples I’ve used AIR-AP1232AG-E-K device with Cisco IOS Software, Version 12.3(8)JED.

MAC ACLs

The following example shows how to configure packet filtering using device MAC address.

ap(config)#
ap(config)#access-list 700 deny   240a.6456.3701   0000.0000.0000
ap(config)#access-list 700 permit 0000.0000.0000   ffff.ffff.ffff
ap(config)#
ap(config)#access-list 701 deny   310a.1000.1135   0000.0000.0000
ap(config)#access-list 701 permit 0000.0000.0000   ffff.ffff.ffff
ap(config)#
ap(config)#interface dot11Radio 0
ap(config-if)#l2-filter bridge-group-acl  // Use bridge-group ACLs
ap(config-if)#bridge-group 1 input-address-list 700 // filter AP input packets by src. MAC address (of radio dev.)
ap(config-if)#bridge-group 1 output-address-list 701 // filter AP output packets by radio dest. MAC address (of radio dev.)
ap(config-if)#
ap(config-if)#interface fastEthernet 0
ap(config-if)#l2-filter bridge-group-acl  // Use bridge-group ACLs
ap(config-if)#bridge-group 1 input-address-list 702 // filter AP input packets by src. MAC address (of wired dev.)
ap(config-if)#bridge-group 1 output-address-list 703 // filter AP output packets by dest. MAC address (of wired dev.)
ap(config-if)#

MAC ACLs (associations)

You can use MAC address ACLs to block or allow association to the access point (instead of filtering
traffic). In this example we will disallow association for one client.

ap(config)#
ap(config)#access-list 715 deny   240a.6456.3701   0000.0000.0000
ap(config)#access-list 715 permit 0000.0000.0000   ffff.ffff.ffff
ap(config)#dot11 association mac-list 715
ap(config)#

IP ACL

The following example shows how to deny telnet session to the specified host.

ap(config)#
ap(config)#ip access-list extended MyACL
ap(config-ext-nacl)#deny tcp any host 192.168.0.105 eq telnet log
ap(config-ext-nacl)#permit ip any any
ap(config-ext-nacl)#
ap(config-ext-nacl)#interface fast0
ap(config-if)#ip access-group MyACL in
ap(config-if)#

Veryfication (“matches count”):

ap#show access-lists Login
Extended IP access list Login
    30 deny tcp any host 192.168.0.105 eq telnet (9 matches)
    50 permit ip any any (600 matches)
ap#

Ethertype ACL

You can also create Ethertype filters – these filters use Ethertype field inside Ethernet frame which indicate which protocol is encapsulated inside this frame. For example, you can use it to filter all IPv4 or all IPv6 packets.

Leave a Reply

Your email address will not be published. Required fields are marked *