Saturday, February 6, 2010

IOS Access Point ACL Filters

I've been trying to find the right commands for enabling ACLs on 1242s.  I think I've found the right document - this one references commands that *acutally* work on code version 12.4(13d)JA (lab software list)  Excerpt below of ACL Filter Configuration document:

  • Filters that use standard ACLs

    • In Cisco IOS® Software Release 12.3(7)JA, the ACL number can be any number from 1 to 99. Standard ACLs can also use the extended range of 1300 to 1999. These additional numbers are expanded IP ACLs.
    • When a standard ACL is configured to deny access to a client, the client still associates to the AP. However, there is no data communication between the AP and the client.

    • The command syntax format of a standard ACL is access-list access-list-number {permit | deny} {host ip-address | source-ip source-wildcard | any}.

    • AP#access-list 25 deny host
          !--- Create a standard ACL 25 to deny access to the
          !--- client with IP address
      AP#access-list 25 permit any
          !--- Allow all other hosts to access the network.
      AP#interface Dot11Radio 0
      AP#ip access-group 25 in
          !--- Apply the standard ACL to the radio interface 0.
  • Filters that use extended ACLs

    •  In Cisco IOS Software Release 12.3(7)JA, extended ACLs can use numbers in the range of 100 to 199. Extended ACLs can also use numbers in the range of 2000 to 2699. This is the expanded range for extended ACLs.
    • Extended ACLs compare the source and destination addresses of the IP packets to the addresses that are configured in the ACL in order to control traffic. Extended ACLs also provide a means to filter traffic based on specific protocols. This provides a more granular control for the implementation of filters on a WLAN network.
    • Extended ACLs allow a client to access some resources on the network while the client cannot access the other resources. For example, you can implement a filter that allows DHCP and Telnet traffic to the client while it restricts all other traffic

    •  This is the command syntax of extended ACLs: Note: This command is wrapped to four lines because of spatial considerations.

      access-list access-list-number [dynamic dynamic-name [timeout minutes]]
      {deny | permit} protocol source source-wildcard
      destination destination-wildcard [precedence precedence] 
      [tos tos] [log | log-input] [time-range time-range-name]
    •  AP#ip access-list extended 100
          !--- Create an extended ACL 100 to allow Telnet and DHCP.
      AP#permit tcp any any eq telnet
          !--- Allow Telnet traffic.
      AP#permit udp any any eq bootpc
          !--- Allow DHCP traffic.
      AP#permit udp any any eq bootps
          !--- Allow DHCP traffic.
      AP#deny ip any any
          !--- Deny all other traffic types.
          !--- Return to global configuration mode.
  • Filters that use MAC address ACLs

    •  In Cisco IOS Software Release 12.3(7)JA, MAC address ACLs can use numbers in the range of 700 to 799 as the ACL number. They can also use numbers in the expanded range of 1100 to 1199. 
    •  You can use MAC address-based filters in order to filter client devices based on the hard coded MAC address. When a client is denied access through a MAC-based filter, the client cannot associate with the AP. MAC address filters allow or disallow the forwarding of unicast and multicast packets either sent from or addressed to specific MAC addresses.

    • This is the command syntax to create a MAC address-based ACL on the AP:
      Note: This command has been wrapped to two lines because of spatial considerations.
          access-list access-list-number {permit | deny}
          48-bit-hardware-address 48-bit-hardware-address-mask
    • AP#configure terminal
      AP#access-list 700 deny 0040.96a5.b5d4 0000.0000.0000
          !--- This ACL denies all traffic to and from
          !--- the client with MAC address 0040.96a5.b5d4.
      AP#dot11 association mac-list 700
          !--- Apply the MAC-based ACL.
      After you configure this filter on the AP, the client with this MAC address, which was previously associated to the AP, is disassociated. The AP console sends this message:
      AP# *Mar 1 01:42:36.743: %DOT11-6-DISASSOC: Interface
               Dot11Radio0, Deauthenticating Station 0040.96a5.b5d4
  • Filters Using Time-Based ACLs
    • Time-based ACLs are ACLs that can be enabled or disabled for a specific period of time. This capability provides robustness and the flexibility to define access control policies that either permit or deny certain kinds of traffic..
    • Note: A time-based ACL can be defined either on the Fast Ethernet port or on the Radio port of the Aironet AP, based on your requirements. It is never applied on the Bridge Group Virtual Interface (BVI).
    •  AP#configure terminal
      AP#time-range Test
          !--- Create a time-range with name Test.
      AP(config-time-range)# periodic weekdays 7:00 to 19:00
          !--- Allows access to users during weekdays from 7:00 to 19:00 hrs.
      AP# ip access-list extended 101
      AP#permit tcp eq telnet time-range Test
          !--- This ACL permits Telnet traffic to and from
          !--- the network for the specified time-range Test.
      Issue this command in order to apply this time-based ACL to the Ethernet interface:
      AP#interface FastEthernet0
      AP#ip address
      AP#ip access-group 101 in
          !--- Apply the time-based ACL.
 Avoid the use of both the CLI and the web-browser interfaces to configure the wireless device. If you configure the wireless device with the CLI, the web-browser interface can display an inaccurate interpretation of the configuration. However, the inaccuracy does not necessarily mean that the wireless device is misconfigured. For example, if you configure ACLs with the CLI, the web-browser interface can display this message: 
Filter 700 was configured on interface Dot11Radio0.1 using CLI.
It must be cleared via CLI to ensure proper operation of the web interface.

1 comment: