Note: A product listed in this article has either reached hardware End of Life (EOL) OR software End of Engineering (EOE). Refer to End of Life Products & Milestones for the EOL, EOE, and End of Support (EOS) dates.
This KB provides information on how to create an access-list to block unwanted users from connecting to a SSID.
How to create an access-list to block unwanted users from connecting to a SSID.
To block rogue devices from connecting to a SSID, you can either configure a layer 2 access-list or a blocklist. The main difference between the two is that if a blocklist is used, the devices with the specified MACs will not be able to associate to the AP; if an ACL is used, the same device will associate and possibly even authenticate on the controller, but will not be able to make traffic.
To configure an ACL, perform the following procedure:
- Create an ACL with the MAC addresses, for which access has to be denied.
- Add an entry for each MAC address on the designated ACL.
- After the ACL has been created or modified, it will also have to be commited; else the modifications will not be taken into consideration.
The syntax for adding an entry in an ACL is:
WLC# set security acl name acl-name {permit|deny} mac {any | src-mac-addr} {dest-mac-addr | any | bpdu | broadcast | multicast | pvst} ethertype {ethertype-hex | any | arp | ipv4 | ipv6
An example for an ACL is:
set security acl name mac-acl deny mac 11:22:33:44:55:66 ff:ff:ff:ff:ff:ff 00:00:00:00:00:00 ff:ff:ff:ff:ff:ff ethertype any
set security acl name mac-acl deny mac AA:BB:CC:DD:EE:FF ff:ff:ff:ff:ff:ff 00:00:00:00:00:00 ff:ff:ff:ff:ff:ff ethertype any
set security acl name mac-acl permit mac 00:00:00:00:00:00 ff:ff:ff:ff:ff:ff 00:00:00:00:00:00 ff:ff:ff:ff:ff:ff ethertype any
commit security acl name acl-mac
Where
11:22:33:44:55:66 and
AA:BB:CC:DD:EE:FF are the MAC addresses of the devices, for which access has to be denied. You will also have to apply the ACL to the service-profile, for which it has to be run:
set service-profile test attr filter-id mac-acl.in
Where
test is the name of the service-profile,
mac-acl is the name of the ACL, and
in or
out represents inbound or outbound.
Note: This is considered a viable solution for networks that face only a limited number of rogue devices. If the number of unwanted devices increases, it is recommended to configure a blocklist.
2020-12-01: Tagged article for EOL/EOE