You are the network administrator of a Cisco Autonomous AP deployment. You want to stop a client with MAC address 5057.a89e.b1f7 and IP address 10.0.0.2 from associating to your APs.
Which configuration do you use?
A . access-list 700 deny 5057.a89e.b1f7 0000.0000.0000!dot11 association mac-list 700
B . access-list 700 permit 5057.a89e.b1f7 0000.0000.0000!dot11 association mac-list 700
C . ip access-list 25 deny host 10.0.0.2!interface Dot11Radio0ip access-group 25 in!interface Dot11Radio1ip access-group 25 in
D . ip access-list 25 deny host 10.0.0.2!interface Dot11Radio0ip access-group 25 out!interface Dot11Radio1ip access-group 25 out
Answer: AC
Explanation:
Filters Using MAC-Based ACLs
You can use MAC address-based filters in order to filter client devices based on the hard coded MAC address. When a client is denied access through a MAC-based filter, the client cannot associate with the AP. MAC address filters allow or disallow the forwarding of unicast and multicast packets either sent from or addressed to specific MAC addresses.
This is the command syntax to create a MAC address-based ACL on the AP:
Note: This command has been wrapped to two lines because of spatial considerations.
access-listaccess-list-number{permit | deny}
48-bit-hardware-address 48-bit-hardware-address-mask
In Cisco IOS Software Release 12.3(7)JA, MAC address ACLs can use numbers in the range of 700 to 799 as the ACL number. They can also use numbers in the expanded range of 1100 to 1199.
This example illustrates how to configure a MAC-based filter through the CLI, in order to filter the client with a MAC address of0040.96a5.b5d4:
– Log in to the AP through the CLI.
Use the console port or Telnet in order to access the ACL through the Ethernet interface or the wireless interface.
– Enter global configuration mode on the AP CLI:
– AP#configure terminal
– Create a MAC address ACL 700.
This ACL does not allow the client 0040.96a5.b5d4 to associate with the AP.
access-list 700 deny 0040.96a5.b5d4 0000.0000.0000
!— This ACL denies all traffic to and from !— the client with MAC address 0040.96a5.b5d4.
– Issue this command in order to apply this MAC-based ACL to the radio interface:
dot11 association mac-list 700
Filters Using Standard Access ListsYou can use standard ACLs to allow or disallow the entry of client devices into the WLAN network based on the IP address of the client. Standard ACLs compare the source address of the IP packets to the addresses that are configured in the ACL in order to control traffic. This type of ACL can be referred to as a source IP address-based ACL.
The command syntax format of a standard ACL isaccess-listaccess-list-number{permit | deny} {hostip-address|source-ip source-wildcard| any}.
In Cisco IOS® Software Release 12.3(7)JA, the ACL number can be any number from 1 to 99. Standard ACLs can also use the extended range of 1300 to 1999. These additional numbers are expanded IP ACLs.
When a standard ACL is configured to deny access to a client, the client still associates to the AP. However, there is no data communication between the AP and the client.
This example shows a standard ACL that is configured to filter the client IP address 10.0.0.2 from the wireless interface (radio0 interface). The IP address of the AP is 10.0.0.1.
After this is done, the client with IP address 10.0.0.2 cannot send or receive data through the WLAN network even though the client is associated to the AP.
Complete these steps in order to create a standard ACL through the CLI:
Log in to the AP through the CLI.
Use the console port or use Telnet in order to access the ACL through the Ethernet interface or the wireless interface.
– Enter global configuration mode on the AP:
– AP#configure terminal
– Issue these commands in order to create the standard ACL:
– AP<config>#access-list 25 deny host 10.0.0.2
–
– !— Create a standard ACL 25 to deny access to the !— client with IP address 10.0.0.2.
–
– AP<config>#access-list 25 permit any
–
– !— Allow all other hosts to access the network.
–
– Issue these commands in order to apply this ACL to the radio interface:
– AP<config>#interface Dot11Radio 0
AP<config-if>#ip access-group 25 in
Reference:
http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/68097-accesspt.html
Leave a Reply