Deny traffic on autonomous APs

There are quite a few methods to filter certain kinds of traffic on Cisco’s autonomous access-points. This post gives a overview of the different methods and how to use them based on use cases.

Use case Configuration
Deny wireless client to associate with AP access-list 700 deny 1c1d.862c.70f0 0000.0000.0000
access-list 700 permit 0000.0000.0000 ffff.ffff.ffffdot11 association mac-list 700
Deny wireless client to associate with specific SSID access-list 700 deny 1c1d.862c.70f0 0000.0000.0000
access-list 700 permit 0000.0000.0000 ffff.ffff.ffffinterface Dot11RadioX.X
bridge-group x input-address-list 700
Deny wireless client to client traffic interface Dot11RadioX.X
bridge-group x port-protected
Deny wireless to wired IPv4 traffic ip access-list extended ACL-IPV4-DENY
deny icmp any any
permit ip any anyinterface Dot11RadioX.X
ip access-group ACL-IPV4-DENY in
Deny wireless to wired IPv6 traffic ipv6 access-list ACL-IPV6-DENY
deny icmp any any
permit ipv6 any anyinterface Dot11RadioX
ipv6 traffic-filter ACL-IPV6-DENY in

Note: it is possible to apply this ACL on a sub interface as well (just as with IPv4), however this does not have any effect on the traffic. See also bug CSCva17063.

Deny wired to wireless IPv4 traffic ip access-list extended ACL-IPV4-DENY
deny icmp any any
permit ip any anyinterface gigabitEthernetX.X
ip access-group ACL-IPV4-DENY in
Deny wired to wireless IPv6 traffic ipv6 access-list ACL-IPV6-DENY
deny icmp any any
permit ipv6 any anyinterface gigabitEthernetX
ipv6 traffic-filter ACL-IPV6-DENY in

Note: it is possible to apply this ACL on a sub interface as well (just as with IPv4), however this does not have any effect on the traffic. See also bug CSCva17063.