Wireless, LAN (WLAN)

MAC Address Filters on Autonomous Access Points Configuration Example

Document ID: 116582

Updated: Oct 24, 2013

Contributed by Salma Sulthana, Cisco TAC Engineer.



This document describes how to configure MAC address filters on Cisco standalone Access Points (APs) with the use of the CLI.



Cisco recommends that you have basic knowledge of these topics:

  • Configuration of a wireless connection with use of an Aironet AP and an Aironet 802.11 a/b/g Client Adapter
  • Authentication methods

Components Used

This document is not restricted to specific software and hardware versions.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Background Information

MAC address filters are powerful tools to control the forwarding of unicast and multicast packets. For instruction on how to configure a MAC address filter on the GUI, refer to the Configuring and Enabling MAC Address Filters section of the Cisco IOS Software Configuration Guide for Cisco Aironet Access Points, 12.3(2)JA.


Complete these steps in order to filter MAC-based ACLs with the CLI.

  1. Log in to the AP through the CLI.

  2. Use the console port or Telnet in order to access the ACL through the Ethernet interface or the wireless interface.

  3. Enter this command in order to enter the global configuration mode on the AP CLI:
    AP# configure terminal
  4. Create a MAC address ACL 701:
    access-list 701 deny 0811.967e.c384 0000.0000.0000

    Note: This ACL denies all traffic to and from the client with MAC address 0811.967e.c384.

  5. Enter these commands in order to apply this MAC-based ACL to the radio interface:
    Config terminal
    dot11 association mac-list 701


After you configure this filter on the AP, the client with this MAC address, which was previously associated to the AP, is disassociated. The AP console sends this message:

AccessPoint# *Aug 29 01:42:36.743: %DOT11-6-DISASSOC: Interface
         Dot11Radio0, Deauthenticating Station 0811.967e.c384


There is currently no specific troubleshooting information available for this configuration.

Updated: Oct 24, 2013
Document ID: 116582