学思科三层路由器、交换机、防火墙,当然离不开思科模拟器cisco packet tracer,因为软件几乎和实际的物理硬件无差异,直接在电脑上就模拟了物理环境,大大的解决了学习无硬件的难题......
2022-07-04 200 思科模拟器
胖AP mac地址过滤实现教程
路由器教程
2022-08-30
本文介绍在思科胖AP上配置mac地址过滤的方法,比较简单,记录一下。
思路
1.需要创建一个MAC地址访问列表,该列表在700-799数字范围内。
2.使用dot11 association mac-list命令将其绑定在无线接口上。
配置
configure terminal
access-list 701 permit 0026.5a0e.3123 0000.0000.0000
dot11 association mac-list 701
代表只允许mac为0026.5a0e.3123的设备接入网络,其它设备无法。
0000.0000.0000代表48位硬件地址掩码,默认都需要加上。
configure terminal
access-list 701 deny 0026.5a0e.3123 0000.0000.0000
dot11 association mac-list 701
代表拒绝 mac为0026.5a0e.3123的设备接入网络,其它设备可以接入。
范例
ap#show dot11 associations
802.11 Client Stations on Dot11Radio0:
SSID [CORPORATE] :
MAC Address IP address Device Name Parent State
0026.5a0e.3123 10.100.146.129 ccx-client – self Assoc // JUST ALLOW THIS
10a5.d0e0.7456 10.100.146.133 ccx-client – self Assoc
ap#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
ap(config)#access-list ?
<1-99> IP standard access list
<100-199> IP extended access list
<1100-1199> Extended 48-bit MAC address access list
<1300-1999> IP standard access list (expanded range)
<200-299> Protocol type-code access list
<2000-2699> IP extended access list (expanded range)
<700-799> 48-bit MAC address access list
dynamic-extended Extend the dynamic ACL absolute timer
rate-limit Simple rate-limit specific access list
ap(config)#access-list 701 ?
deny Specify packets to reject
permit Specify packets to forward
ap(config)#access-list 701 permit ?
H.H.H 48-bit hardware address
ap(config)#access-list 701 permit 0026.5a0e.3123 ?
H.H.H 48-bit hardware address mask
<cr>
ap(config)#access-list 701 permit 0026.5a0e.3123 0000.0000.0000
ap(config)#
ap(config)#dot11 association ?
mac-list filter client with a MAC address access list
ap(config)#dot11 association mac-list ?
<700-799> Ethernet address access list
ap(config)#dot11 association mac-list 701 // APPLY TO RADIO INTERFACE
ap(config)#
*Oct 28 09:49:01.194: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 10a5.d0e0.7456
*Oct 28 09:49:01.194: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station d025.988f.7789
*Oct 28 09:49:01.374: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Oct 28 09:49:01.403: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
*Oct 28 09:49:01.414: %DOT11-4-MAXRETRIES: Packet to client 10a5.d0e0.7456 reached max retries, removing the client
*Oct 28 10:12:04.141: %DOT11-6-ASSOC: Interface Dot11Radio0, Station 0026.5a0e.3123 Associated KEY_MGMT[NONE]
ap#show dot11 associations
802.11 Client Stations on Dot11Radio0:
SSID [CORPORATE] :
MAC Address IP address Device Name Parent State
0026.5a0e.3123 10.100.146.129 ccx-client – self Assoc
附:web配置方法
Security > Advance Security > Association Access List > Define Filter.
Type the Filter Index (starts in ACL number 700 and ends 799) > type the MAC address in dotted hexadecimal format (HHHH.HHHH.HHHH) > under Action choose either Forward or Block > Add > Apply.
标签: 胖AP mac地址过滤
相关文章
