16-6
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-30644-01
Chapter16 Configuring Filters
Configuring Filters Using the Web-Browser Interface
The following example applies the MAC address access list 701 created above to the Radio 0 interface,
in the inbound direction. However, no VLAN was created on the interface, and so the ACL is applied to
the default bridge group 1:
ap(config)# interface dot11Radio 0
ap(config-if)# l2-filter bridge-group-acl
ap(config-if)# bridge-group 1 input-address-list 701
In the following example, a VLAN 33 was created and associated to Radio 1. The matching bridge group
33 was created between the radio 1 subinterface 33 and the Ethernet subinterface 33. The MAC address
filter is applied to the outgoing direction on radio 1 subinterface 33:
ap(config)# interface Dot11Radio1
ap(config-if)# l2-filter bridge-group-acl
ap(config-if)# exit
ap(config)# interface Dot11Radio1.33
ap(config-if)# bridge-group 33 output-address-list 701
Using MAC Address ACLs to Block or Allow Client Association to the Access Point
You can use MAC address ACLs to block or allow association to the access point. Instead of filtering
traffic across an interface, you use the ACL to filter associations to the access point radio.
Follow these steps to use an ACL to filter associations to the access point radio:
Step1 Follow Steps 1 through 10 in the “Creating a MAC Address Filter” section on page16-4 to create an
ACL. For MAC addresses that you want to allow to associate, select Forward from the Action menu.
Select Block for addresses that you want to prevent from associating. Select Block All from the Default
Action menu.
Step2 Click Security to browse to the Security Summary page. Figure16-3 shows the Security Summary page.
Figure16-3 Security Summary Page
LBS access point
LBS access point
WLSE
LBS
location
server
127867
LBS access pointLBS access point