Download PDF

Configure ACL Filters on

Aironet Access Points
Cisco | Profile | Contacts & Feedback | Help
Cisco SMB Support Assistant
Configure ACL Filters on Aironet Access Points
Home > Work With My Wireless Devices > Cisco Aironet 1100 and 1200 Series Access Points > Configure ACL Filters
on Aironet Access Points


Configure ACL Filters on Aironet Access Points
Introduction
Requirements
ACL Filters Overview
Connect to the Access Point
Configure ACL Filters on the AP
Configure MAC Address Filters
Configure IP filters
Configure Ethertype Filters
Next Step
Troubleshoot the Procedure
Related Information
Introduction
This document describes how to configure ACL (Access Control Lists) filters on Aironet Access Points. This document
covers Cisco Aironet 1100 and 1200 Series Access Points (AP).
Back to Top
Requirements
To perform the steps described in this document, you need to have these items:
Complete the steps in Configure the Aironet Access Point.
Complete the Wireless Network Assignments Worksheet as instructed in the Site Survey.
Cisco Aironet Access points that is powered on and connected to your PC with a cross-over ethernet cable.
Cisco IOS Software Release 12.2 or later on your AP. If your system Software Release is 12.1 or earlier refer to
Upgrade the Software Image on the Aironet Access Point.
Back to Top
ACL Filters Overview
ACL Filters or Filters in general, are used to permit or deny access to the users based on certain criteria. ACL Filters
can be broadly classified into three categories namely MAC filters, IP filters and Ethertype filters.
MAC filters prevent or allow the forwarding of unicast and multicast packets either sent from or addressed to
specific MAC addresses. You can create a filter that passes traffic to all addresses except those you specify, or
you can create a filter that blocks traffic to all addresses except those you specify. MAC filters can also be used
to allow/block client association with the AP.
IP filters prevent or allow the forwarding of unicast and multicast packets either sent from or addressed to
specific IP addresses. They can also be used to filter traffic based on IP protocol (e.g. ICMP) or to filter traffic
based on port number used by the upper layer protocol.
Ethertype filters prevent or allow the use of specific protocols through the access point's Ethernet and radio
ports. These filters are used to filter protocols for wireless client devices, users on the wired LAN, or both. You
can apply all the three types of the access-list filters on the same interface in the same direction or as per your
requirement.
Back to Top
Connect to the Access Point
To connect to the access points, follow these steps:
Connect your PC to the Access Point (AP) with a cross-over Ethernet cable. 1.
Configure your PC with an IP address that is on the same subnet as the AP. Refer to Configure an IP Address
on Your PC for instructions on how to change your PC's Internet settings.
2.
Open a browser on the PC, and enter the AP's IP address (field W5 on your Worksheet) in the Address field. 3.
When prompted to log in, enter your username and network password (field W8 on your Worksheet), to go to
the AP's home page.
4.
Back to Top
Service Requests
Open a service request
Update a service request
Feedback
Please rate this site:
++ + +/- - --
Suggestions for improvement:
If Cisco may contact you for more details
or for future feedback opportunities,
please enter your contact information:
Full Name:
Email:
1 of 10
Configure ACL Filters on the AP
Follow these steps, in order to configure different types of ACL filters on your AP:
Expand Services, and click Filters from the left side menu.
Back to Top
Configure MAC Address Filters
Follow these steps, in order to configure MAC address filters on the AP:
Click MAC Addresses Filters tab on the top of screen. 1.
To create a new filter, follow these steps:
Click NEW from Create/Edit Filter Index drop-down list.
Enter a number from 700 to 799 in the Filter Index box to uniquely identify this filter.
Enter the MAC Address and Mask in their respective fields.
Click the Action to forward or block this MAC address.
Click Add to add this entry to the list.
2.
2 of 10
Note: You can use the Mask field to specify the bytes to be matched in the given MAC address.
Enter all the required entries in the filter, and click Apply to save this filter.
Note: To apply this filter on an interface, proceed to step 4. Else, in order to apply this filter to allow/ block the
association with the AP, proceed to step 5.
3.
Follow these steps, in order to apply this newly created filter to a physical interface, to filter the traffic which
flows across the interface:
Click the Apply Filters tab on the top of the screen.
Click the direction to apply this filter next to the desired interface.
Click Apply to apply the newly created filter to the interface.
4.
3 of 10
Follow these steps, in order to use this filter, to allow or block association to the AP:
Expand Security and, click Advanced Security from the left side menu.
Make sure that in MAC Address Authentication tab, MAC address authenticated by Local List only is
chosen.
Note: MAC address authenticated by Local List check box is selected by default.
Click Association Access List tab on top of the screen, and select the newly created filter.
Click Apply to apply this filter for MAC address association to the AP.
5.
4 of 10
Back to Top
Configure IP filters
Follow these steps, in order to configure IP filters on the AP:
Select IP Filters tab on top of the screen. 1.
To create a new filter, make sure that NEW is selected from the Create/Edit Filter Name drop-down list. Enter
the name of the filter in Filter Name box.
2.
To allow or block IP packets from a source to destination address, enter the addresses and masks in the
respective boxes. Click the action to forward or block, and then click Add.
3.
5 of 10
In order to allow or block an IP protocol, click the IP protocol from the list or enter your own custom number.
Click the action to forward or block, and click Add.
4.
Scroll down the screen, and click the service or port from the list or enter your own custom port number, to allow
or block a TCP/UDP service. Click the action to forward or block, and click Add.
5.
Add all the necessary entries to the list, and click Apply to save this filter. 6.
6 of 10
To apply this newly created filter to a physical interface, click the Apply Filters tab on the top of the screen.
Click the direction to apply this filter next to desired interface.
7.
Click Apply to apply the newly created filter to the interface. 8.
Back to Top
Configure Ethertype Filters
Follow these steps, in order to configure Ethertype filters on the AP:
Click Ethertype Filters tab on top of the screen. 1.
7 of 10
Follow these steps, in order to create a new filter:
Make sure NEW is selected from the Create/Edit Filter Index drop-down list. a.
Enter a number from 200 to 299 to uniquely identify this filter. b.
Enter the Ether Type number for the desired service or protocol to be allowed or blocked (e.g. 2000 for
CDP).
c.
Click the action to forward or block, and click Add. d.
Note: You can use the Mask field to specify the bytes to be matched in the given protocol number.
2.
Enter all the required entries in this list, and click Apply to save this filter. 3.
To apply this newly created filter to a physical interface, click the Apply Filters tab on the top of the screen. Next
to desired interface, select the direction to apply this filter.
4.
8 of 10
Click Apply to apply the newly created filter to the interface. 5.
Back to Top
Next Step
You have completed configuring ACL Filters on Aironet Access Point.
Refer to Configure the Wireless Client Adapter to configure your Wireless Client Adapter.
Refer to Wireless Support Page to make further changes to your AP.
Refer to Configuration Overview Page to configure other devices in your network.
Back to Top
Troubleshoot the Procedure
This section provides information about common problems that you may encounter. If this information does not solve
your problem, contact the SMB Technical Assistance Center (SMB TAC) for assistance.
Problem Cause(s) and Suggested Solution(s)
You are unable to
log in to the AP.
Follow these steps:
Ensure that you use the proper cable. You must use a crossover Ethernet
cable, not a straight-through Ethernet cable. Refer to Cable Descriptions for
more information.
Verify the IP Address on your PC is in the same subnet as that of your AP.
Ensure that you enter the correct IP address of the AP in the PC browser.
Refer to, Reset a User Password on the Aironet Access Point.
Back to Top
Related Information
Site Survey
Password Security
Hardware Setup Procedure for the Aironet Access Point
9 of 10
Configure the Aironet Access Point
1992-2006 Cisco Systems, Inc. All rights reserved. Terms and Conditions, Privacy Statement, Cookie Policy and Trademarks of Cisco Systems, Inc.
10 of 10