There are quite a few methods to filter certain kinds of traffic on Cisco’s autonomous access-points. This post gives a overview of the different methods and how to use them based on use cases.
| Use case | Configuration |
| Deny wireless client to associate with AP | access-list 700 deny 1c1d.862c.70f0 0000.0000.0000 access-list 700 permit 0000.0000.0000 ffff.ffff.ffffdot11 association mac-list 700 |
| Deny wireless client to associate with specific SSID | access-list 700 deny 1c1d.862c.70f0 0000.0000.0000 access-list 700 permit 0000.0000.0000 ffff.ffff.ffffinterface Dot11RadioX.X bridge-group x input-address-list 700 |
| Deny wireless client to client traffic | interface Dot11RadioX.X bridge-group x port-protected |
| Deny wireless to wired IPv4 traffic | ip access-list extended ACL-IPV4-DENY deny icmp any any permit ip any anyinterface Dot11RadioX.X ip access-group ACL-IPV4-DENY in |
| Deny wireless to wired IPv6 traffic | ipv6 access-list ACL-IPV6-DENY deny icmp any any permit ipv6 any anyinterface Dot11RadioX ipv6 traffic-filter ACL-IPV6-DENY in Note: it is possible to apply this ACL on a sub interface as well (just as with IPv4), however this does not have any effect on the traffic. See also bug CSCva17063. |
| Deny wired to wireless IPv4 traffic | ip access-list extended ACL-IPV4-DENY deny icmp any any permit ip any anyinterface gigabitEthernetX.X ip access-group ACL-IPV4-DENY in |
| Deny wired to wireless IPv6 traffic | ipv6 access-list ACL-IPV6-DENY deny icmp any any permit ipv6 any anyinterface gigabitEthernetX ipv6 traffic-filter ACL-IPV6-DENY in Note: it is possible to apply this ACL on a sub interface as well (just as with IPv4), however this does not have any effect on the traffic. See also bug CSCva17063. |