Defines the actions taken based on an ACL rule configuration. Use the use > ip-access-list <IP-ACCESS-LIST-NAME> command to associate an ACL with the WLAN. The ACL rule is determined by the associated ACL‘s configuration.

A firewall is a mechanism enforcing access control, and is considered a first line of defense in protecting proprietary information within the network. The means by which this is accomplished varies, but in principle, a Firewall can be thought of as mechanisms allowing and denying data traffic in respect to administrator defined rules.

WLANs use firewalls like Access Control Lists (ACLs) to filter/mark packets based on the WLAN from which they arrive, as opposed to filtering packets on layer 2 ports. An ACL contains an ordered list of Access Control Entries (ACEs). Each ACE specifies an action and a set of conditions (rules) a packet must satisfy to match the ACE. The order of conditions in the list is critical since filtering is stopped after the first match.

IP based Firewall rules are specific to source and destination IP addresses and the unique rules and precedence orders assigned. Both IP and non-IP traffic on the same layer 2 interface can be filtered by applying both an IP ACL and a MAC.

Additionally, you can filter layer 2 traffic on a physical layer 2 interface using MAC addresses. A MAC Firewall rule uses source and destination MAC addresses for matching operations, where the result is a typical allow, deny or mark designation to WLAN packet traffic.

Keep in mind IP and non-IP traffic on the same layer 2 interface can be filtered by applying both an IP ACL and a MAC ACL to the interface.

Supported in the following platforms:

  • Access Points — AP505i, AP510i/e, AP560i/h
  • Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000


acl exceed-rate wireless-client-denied-traffic <0-1000000> {blacklist <0-86400>|disassociate}


acl exceed-rate wireless-client-denied-traffic <0-1000000> {blacklist <0-86400>|disassociate}
acl exceed-rate Sets the action taken based on an ACL rule configuration (for example, drop a packet)
  • exceed-rate – Action is taken when the rate exceeds a specified value
wireless-client-denied-traffic <0-1000000> Sets the action to deny traffic to the wireless client when the rate exceeds the specified value
  • <0-1000000> – Specify a allowed rate threshold of disallowed traffic in packets/sec.

If enabled, this option allows an associated client, exceeding the thresholds configured for storm traffic, to be either de-authenticated or blacklisted depending on the action selected. This option is disabled by default.

blacklist <0-86400> Optional. Sets the time period for which an offending wireless client is blacklisted.
  • <0-86400> – Configures the blacklist duration from 0 - 86400 seconds. Offending clients are re-authenticated once the blacklist duration, configured here, is over.
disassociate Optional. When enabled, disassociates a blacklisted wireless client.


nx9500-6C8809(config-wlan-test)#acl exceed-rate wireless-client-denied-traffic
20 disassociate
nx9500-6C8809(config-wlan-test)#show context
wlan test
 ssid test
 bridging-mode tunnel
 encryption-type none
 authentication-type none
 accounting syslog host port 2
 acl exceed-rate wireless-client-denied-traffic 20 disassociate

Related Commands

no (wlan-config-mode) Removes the action (de-authenticate or blacklist) to be taken when an associated client exceeds the thresholds configured for storm traffic