Aironet Access Points Cisco | Profile | Contacts & Feedback | Help Cisco SMB Support Assistant Configure ACL Filters on Aironet Access Points Home > Work With My Wireless Devices > Cisco Aironet 1100 and 1200 Series Access Points > Configure ACL Filters on Aironet Access Points
Configure ACL Filters on Aironet Access Points Introduction Requirements ACL Filters Overview Connect to the Access Point Configure ACL Filters on the AP Configure MAC Address Filters Configure IP filters Configure Ethertype Filters Next Step Troubleshoot the Procedure Related Information Introduction This document describes how to configure ACL (Access Control Lists) filters on Aironet Access Points. This document covers Cisco Aironet 1100 and 1200 Series Access Points (AP). Back to Top Requirements To perform the steps described in this document, you need to have these items: Complete the steps in Configure the Aironet Access Point. Complete the Wireless Network Assignments Worksheet as instructed in the Site Survey. Cisco Aironet Access points that is powered on and connected to your PC with a cross-over ethernet cable. Cisco IOS Software Release 12.2 or later on your AP. If your system Software Release is 12.1 or earlier refer to Upgrade the Software Image on the Aironet Access Point. Back to Top ACL Filters Overview ACL Filters or Filters in general, are used to permit or deny access to the users based on certain criteria. ACL Filters can be broadly classified into three categories namely MAC filters, IP filters and Ethertype filters. MAC filters prevent or allow the forwarding of unicast and multicast packets either sent from or addressed to specific MAC addresses. You can create a filter that passes traffic to all addresses except those you specify, or you can create a filter that blocks traffic to all addresses except those you specify. MAC filters can also be used to allow/block client association with the AP. IP filters prevent or allow the forwarding of unicast and multicast packets either sent from or addressed to specific IP addresses. They can also be used to filter traffic based on IP protocol (e.g. ICMP) or to filter traffic based on port number used by the upper layer protocol. Ethertype filters prevent or allow the use of specific protocols through the access point's Ethernet and radio ports. These filters are used to filter protocols for wireless client devices, users on the wired LAN, or both. You can apply all the three types of the access-list filters on the same interface in the same direction or as per your requirement. Back to Top Connect to the Access Point To connect to the access points, follow these steps: Connect your PC to the Access Point (AP) with a cross-over Ethernet cable. 1. Configure your PC with an IP address that is on the same subnet as the AP. Refer to Configure an IP Address on Your PC for instructions on how to change your PC's Internet settings. 2. Open a browser on the PC, and enter the AP's IP address (field W5 on your Worksheet) in the Address field. 3. When prompted to log in, enter your username and network password (field W8 on your Worksheet), to go to the AP's home page. 4. Back to Top Service Requests Open a service request Update a service request Feedback Please rate this site: ++ + +/- - -- Suggestions for improvement: If Cisco may contact you for more details or for future feedback opportunities, please enter your contact information: Full Name: Email: 1 of 10 Configure ACL Filters on the AP Follow these steps, in order to configure different types of ACL filters on your AP: Expand Services, and click Filters from the left side menu. Back to Top Configure MAC Address Filters Follow these steps, in order to configure MAC address filters on the AP: Click MAC Addresses Filters tab on the top of screen. 1. To create a new filter, follow these steps: Click NEW from Create/Edit Filter Index drop-down list. Enter a number from 700 to 799 in the Filter Index box to uniquely identify this filter. Enter the MAC Address and Mask in their respective fields. Click the Action to forward or block this MAC address. Click Add to add this entry to the list. 2. 2 of 10 Note: You can use the Mask field to specify the bytes to be matched in the given MAC address. Enter all the required entries in the filter, and click Apply to save this filter. Note: To apply this filter on an interface, proceed to step 4. Else, in order to apply this filter to allow/ block the association with the AP, proceed to step 5. 3. Follow these steps, in order to apply this newly created filter to a physical interface, to filter the traffic which flows across the interface: Click the Apply Filters tab on the top of the screen. Click the direction to apply this filter next to the desired interface. Click Apply to apply the newly created filter to the interface. 4. 3 of 10 Follow these steps, in order to use this filter, to allow or block association to the AP: Expand Security and, click Advanced Security from the left side menu. Make sure that in MAC Address Authentication tab, MAC address authenticated by Local List only is chosen. Note: MAC address authenticated by Local List check box is selected by default. Click Association Access List tab on top of the screen, and select the newly created filter. Click Apply to apply this filter for MAC address association to the AP. 5. 4 of 10 Back to Top Configure IP filters Follow these steps, in order to configure IP filters on the AP: Select IP Filters tab on top of the screen. 1. To create a new filter, make sure that NEW is selected from the Create/Edit Filter Name drop-down list. Enter the name of the filter in Filter Name box. 2. To allow or block IP packets from a source to destination address, enter the addresses and masks in the respective boxes. Click the action to forward or block, and then click Add. 3. 5 of 10 In order to allow or block an IP protocol, click the IP protocol from the list or enter your own custom number. Click the action to forward or block, and click Add. 4. Scroll down the screen, and click the service or port from the list or enter your own custom port number, to allow or block a TCP/UDP service. Click the action to forward or block, and click Add. 5. Add all the necessary entries to the list, and click Apply to save this filter. 6. 6 of 10 To apply this newly created filter to a physical interface, click the Apply Filters tab on the top of the screen. Click the direction to apply this filter next to desired interface. 7. Click Apply to apply the newly created filter to the interface. 8. Back to Top Configure Ethertype Filters Follow these steps, in order to configure Ethertype filters on the AP: Click Ethertype Filters tab on top of the screen. 1. 7 of 10 Follow these steps, in order to create a new filter: Make sure NEW is selected from the Create/Edit Filter Index drop-down list. a. Enter a number from 200 to 299 to uniquely identify this filter. b. Enter the Ether Type number for the desired service or protocol to be allowed or blocked (e.g. 2000 for CDP). c. Click the action to forward or block, and click Add. d. Note: You can use the Mask field to specify the bytes to be matched in the given protocol number. 2. Enter all the required entries in this list, and click Apply to save this filter. 3. To apply this newly created filter to a physical interface, click the Apply Filters tab on the top of the screen. Next to desired interface, select the direction to apply this filter. 4. 8 of 10 Click Apply to apply the newly created filter to the interface. 5. Back to Top Next Step You have completed configuring ACL Filters on Aironet Access Point. Refer to Configure the Wireless Client Adapter to configure your Wireless Client Adapter. Refer to Wireless Support Page to make further changes to your AP. Refer to Configuration Overview Page to configure other devices in your network. Back to Top Troubleshoot the Procedure This section provides information about common problems that you may encounter. If this information does not solve your problem, contact the SMB Technical Assistance Center (SMB TAC) for assistance. Problem Cause(s) and Suggested Solution(s) You are unable to log in to the AP. Follow these steps: Ensure that you use the proper cable. You must use a crossover Ethernet cable, not a straight-through Ethernet cable. Refer to Cable Descriptions for more information. Verify the IP Address on your PC is in the same subnet as that of your AP. Ensure that you enter the correct IP address of the AP in the PC browser. Refer to, Reset a User Password on the Aironet Access Point. Back to Top Related Information Site Survey Password Security Hardware Setup Procedure for the Aironet Access Point 9 of 10 Configure the Aironet Access Point 1992-2006 Cisco Systems, Inc. All rights reserved. Terms and Conditions, Privacy Statement, Cookie Policy and Trademarks of Cisco Systems, Inc. 10 of 10