This document describes how to configure MAC address filters on Cisco standalone Access Points (APs) with the use of the CLI.
Cisco recommends that you have basic knowledge of these topics:
- Configuration of a wireless connection with use of an Aironet AP and an Aironet 802.11 a/b/g Client Adapter
- Authentication methods
This document is not restricted to specific software and hardware versions.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
MAC address filters are powerful tools to control the forwarding of unicast and multicast packets. For instruction on how to configure a MAC address filter on the GUI, refer to the Configuring and Enabling MAC Address Filters section of the Cisco IOS Software Configuration Guide for Cisco Aironet Access Points, 12.3(2)JA.
Complete these steps in order to filter MAC-based ACLs with the CLI.
- Log in to the AP through the CLI.
- Use the console port or Telnet in order to access the ACL through the Ethernet interface or the wireless interface.
- Enter this command in order to enter the global configuration mode on the AP CLI:
AP# configure terminal
- Create a MAC address ACL 701:
access-list 701 deny 0811.967e.c384 0000.0000.0000
- Enter these commands in order to apply this MAC-based ACL to the radio interface:
Interface Dot11radio 0 or Inter dot11radio 1
dot11 association mac-list 701
After you configure this filter on the AP, the client with this MAC address, which was previously associated to the AP, is disassociated. The AP console sends this message:
AccessPoint# *Aug 29 01:42:36.743: %DOT11-6-DISASSOC: Interface
Dot11Radio0, Deauthenticating Station 0811.967e.c384
There is currently no specific troubleshooting information available for this configuration.