姜维博客
欢迎来访~

胖AP mac地址过滤

本文介绍在思科胖AP上配置mac地址过滤的方法,比较简单,记录一下。

思路

1.需要创建一个MAC地址访问列表,该列表在700-799数字范围内。
2.使用dot11 association mac-list命令将其绑定在无线接口上。

配置

代表只允许mac为0026.5a0e.3123的设备接入网络,其它设备无法。
0000.0000.0000代表48位硬件地址掩码,默认都需要加上。
 
代表拒绝 mac为0026.5a0e.3123的设备接入网络,其它设备可以接入。

范例

ap#show dot11 associations 

802.11 Client Stations on Dot11Radio0: 

SSID [CORPORATE] : 

MAC Address    IP address      Device        Name            Parent         State     
0026.5a0e.3123 10.100.146.129  ccx-client    -               self           Assoc         // JUST ALLOW THIS 
10a5.d0e0.7456 10.100.146.133  ccx-client    -               self           Assoc    

ap#configure terminal                  
Enter configuration commands, one per line.  End with CNTL/Z.
ap(config)#access-list ?
  <1-99>            IP standard access list
  <100-199>         IP extended access list
  <1100-1199>       Extended 48-bit MAC address access list
  <1300-1999>       IP standard access list (expanded range)
  <200-299>         Protocol type-code access list
  <2000-2699>       IP extended access list (expanded range)
  <700-799>         48-bit MAC address access list
  dynamic-extended  Extend the dynamic ACL absolute timer
  rate-limit        Simple rate-limit specific access list

ap(config)#access-list 701 ?
  deny    Specify packets to reject
  permit  Specify packets to forward

ap(config)#access-list 701 permit ?
  H.H.H  48-bit hardware address

ap(config)#access-list 701 permit 0026.5a0e.3123 ?
  H.H.H  48-bit hardware address mask
  <cr>

ap(config)#access-list 701 permit 0026.5a0e.3123 0000.0000.0000 
ap(config)#

ap(config)#dot11 association ?
  mac-list  filter client with a MAC address access list

ap(config)#dot11 association mac-list ?
  <700-799>  Ethernet address access list

ap(config)#dot11 association mac-list 701        // APPLY TO RADIO INTERFACE
ap(config)#
*Oct 28 09:49:01.194: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 10a5.d0e0.7456 
*Oct 28 09:49:01.194: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station d025.988f.7789 
*Oct 28 09:49:01.374: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Oct 28 09:49:01.403: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
*Oct 28 09:49:01.414: %DOT11-4-MAXRETRIES: Packet to client 10a5.d0e0.7456 reached max retries, removing the client
 *Oct 28 10:12:04.141: %DOT11-6-ASSOC: Interface Dot11Radio0, Station  0026.5a0e.3123 Associated KEY_MGMT[NONE]

ap#show dot11 associations

802.11 Client Stations on Dot11Radio0: 

SSID [CORPORATE] : 

MAC Address    IP address      Device        Name            Parent         State     
0026.5a0e.3123 10.100.146.129  ccx-client    -               self           Assoc

附:web配置方法

 Security > Advance Security > Association Access List > Define Filter. 
Type the Filter Index (starts in ACL number 700 and ends 799) > type the MAC address in dotted hexadecimal format (HHHH.HHHH.HHHH) > under Action choose either Forward or Block > Add > Apply.

 
 

 
 
 
 
可附来源转载:姜维博客 » 胖AP mac地址过滤

评论 1

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址
  1. #1

    赞,很有帮助!

    rockiee2811年前 (2017-10-17)回复

待添加阿里云优惠