Achieving MAC Filtering for Root and Non-Root Bridges
Question
In a bridge-to-bridge setup, the network administrator wants to allow only the root bridge the ability to associate to the non-root bridge.
To achieve this goal, the administrator decides to implement a MAC filter.
If 0017.dfa6.cdf0 is the MAC address of the root AP (ROOT_AP) and 0017.dfa6.ae13 is the MAC address of the non-root AP (NON-ROOT_AP), which command set will achieve this goal?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D. E.B.
In a bridge-to-bridge setup, the administrator wants to allow only the root bridge to associate with the non-root bridge. To achieve this goal, the administrator decides to implement a MAC filter.
A MAC filter can be implemented using an access list and associating it with the dot11 association mac-list command. The access list will permit or deny the MAC addresses specified in it.
The MAC address of the root AP is 0017.dfa6.cdf0, and the MAC address of the non-root AP is 0017.dfa6.ae13. The goal is to allow only the root AP to associate with the non-root AP.
Option A: ROOT_AP# configure terminal ROOT_AP(config)# access-list 700 permit 0017.dfa6.cdf0 ROOT_AP(config)# dot11 association mac-list 700
This command set configures an access list with permit statement for the MAC address of the root AP (0017.dfa6.cdf0) and associates it with the dot11 association mac-list command. This option achieves the goal of allowing only the root AP to associate with the non-root AP. Therefore, this is the correct answer.
Option B: NON-ROOT_AP# configure terminal NON-ROOT_AP(config)# access-list 700 permit 0017.dfa6.cdf0 NON-ROOT_AP(config)# dot11 association mac-list 700
This command set configures an access list with permit statement for the MAC address of the root AP (0017.dfa6.cdf0) and associates it with the dot11 association mac-list command on the non-root AP. This option allows the root AP to associate with the non-root AP, but it does not restrict any other APs from associating with the non-root AP. Therefore, this option is incorrect.
Option C: NON-ROOT_AP# configure terminal NON-ROOT_AP(config)# access-list 700 permit 0017.dfa6.ae13 NON-ROOT_AP(config)# dot11 association mac-list 700
This command set configures an access list with permit statement for the MAC address of the non-root AP (0017.dfa6.ae13) and associates it with the dot11 association mac-list command on the non-root AP. This option does not achieve the goal of allowing only the root AP to associate with the non-root AP. Therefore, this option is incorrect.
Option D: NON-ROOT_AP# configure terminal NON-ROOT_AP(config)# access-list 700 permit 0017.dfa6.cdf0 NON-ROOT_AP(config)# dot11 ssid bridge NON- ROOT_AP(config-ssid)# dot11 association mac-list 700
This command set configures an access list with permit statement for the MAC address of the root AP (0017.dfa6.cdf0) and associates it with the dot11 association mac-list command on the non-root AP, but it also configures an SSID named "bridge" and associates the access list with the dot11 association mac-list command under the bridge SSID. This option does not achieve the goal of allowing only the root AP to associate with the non-root AP. Therefore, this option is incorrect.
Option E: ROOT_AP# configure terminal ROOT_AP(config)# access-list 700 permit 0017.dfa6.cdf0 ROOT_AP(config)# interface Dot11Radio0 ROOT_AP(config-if)# dot11 association mac-list 700
This command set configures an access list with permit statement for the MAC address of the root AP (0017.dfa6.cdf0) and associates it with the dot11 association mac-list command on the root AP's radio interface. This option restricts any devices from associating with the root AP's radio interface except for the MAC address of
