Routers
--
Questions
--
Followers
Top Experts
Cisco access-list 700-799
If I wanted to block one or two MAC addresses on the LAN (even though they have a valid IP), what's the syntax? For example, let's say the MAC address is 0090.aabb.0101. What's the syntax to prevent this MAC from getting out?
Zero AI Policy
We believe in human intelligence. Our moderation policy strictly prohibits the use of LLM content in our Q&A threads.
Here is an excerpt from a Cisco doc which gives you an example.
The following is an example that controls which traffic from Macintosh computers on the remote Ethernet LAN reaches the core router:
access-list 710 permit 0800.0298.0000 0000.0000.FFFF
access-list 710 deny 0800.0276.2917 0000.0000.0000
access-list 710 permit 0800.0000.0000 0000.FFFF.FFFF
interface lex 0
 lex input-address-list 710
The first line of this access list permits traffic from any Macintosh whose MAC address starts with 0800.0298. The remaining two octets in the MAC address can be any value because the mask for these octets is FFFF ("don't care" bits).
The second line specifically rejects all traffic originating from a Macintosh with the MAC address of 0800.0276.2917. Note that none of the mask bits are "don't care" bits.
The third line specifically permits all traffic from other Macintoshes whose MAC addresses start with 0800. Note that in the mask, the "don't care" bits are the rest of the address.
At the end of the list is an implicit "deny everything" entry, meaning that any address that does not match an address or address group on the list is rejected.
The following is an example that controls which traffic from Macintosh computers on the remote Ethernet LAN reaches the core router:
access-list 710 permit 0800.0298.0000 0000.0000.FFFF
access-list 710 deny 0800.0276.2917 0000.0000.0000
access-list 710 permit 0800.0000.0000 0000.FFFF.FFFF
interface lex 0
 lex input-address-list 710
The first line of this access list permits traffic from any Macintosh whose MAC address starts with 0800.0298. The remaining two octets in the MAC address can be any value because the mask for these octets is FFFF ("don't care" bits).
The second line specifically rejects all traffic originating from a Macintosh with the MAC address of 0800.0276.2917. Note that none of the mask bits are "don't care" bits.
The third line specifically permits all traffic from other Macintoshes whose MAC addresses start with 0800. Note that in the mask, the "don't care" bits are the rest of the address.
At the end of the list is an implicit "deny everything" entry, meaning that any address that does not match an address or address group on the list is rejected.
O.K., I tried adding a
access-list 700 permit any
after denying the MAC and it didn't like the "any" part. How do I finish off this access list so that all other MAC addresses are allowed?
access-list 700 permit any
after denying the MAC and it didn't like the "any" part. How do I finish off this access list so that all other MAC addresses are allowed?
You can't use the "any" keyword in a mac address access list and I believe that this should work.
access-list 700 permit FF.FF.FF.FF.FF.FF
The FF means that is doesn't care what the mac address is.
access-list 700 permit FF.FF.FF.FF.FF.FF
The FF means that is doesn't care what the mac address is.
EARN REWARDS FOR ASKING, ANSWERING, AND MORE.
Earn free swag for participating on the platform.
O.K., it took that. Now, considering that I want to apply this to FastEthernet0, what's the command to apply the list to the interface? It's not the same as a basic access-list.
Thanks.
Thanks.
Dear alavan,
The MAC access-lists are generally for use with IBM protocols. Â They won't work on general layer-2 protocols as you wish them to. Â They are for things like DLSw and RSRB.
Remember this: Â layer-2 addresses are not passed through layer-3 hops. Â So for filtering purposes, there is little value in a layer-2 address filter, as most devices one would wish to filter are going to contain the layer-2 address of the upstream router, making them all look the same from a layer-2 perspective.
In IBM protocols, however, the layer-2 address is maintained (since these protocols are normally non-routable layer-2 protocols!) and then encapsulated for RSRB and DLSw. Â Cisco devices can examine the address within the encapsulation and filter accordingly with a 700-level MAC access-list.
For Apple, you can use the Appletalk access-list numbers from 600 to 699 and filter by cable range, zone, etc.
J.
The MAC access-lists are generally for use with IBM protocols. Â They won't work on general layer-2 protocols as you wish them to. Â They are for things like DLSw and RSRB.
Remember this: Â layer-2 addresses are not passed through layer-3 hops. Â So for filtering purposes, there is little value in a layer-2 address filter, as most devices one would wish to filter are going to contain the layer-2 address of the upstream router, making them all look the same from a layer-2 perspective.
In IBM protocols, however, the layer-2 address is maintained (since these protocols are normally non-routable layer-2 protocols!) and then encapsulated for RSRB and DLSw. Â Cisco devices can examine the address within the encapsulation and filter accordingly with a 700-level MAC access-list.
For Apple, you can use the Appletalk access-list numbers from 600 to 699 and filter by cable range, zone, etc.
J.
Pharoah,
Thank you so much for the helpful comments. Is it then not at all possible to block access to the WAN if all I've got is a MAC address? I can't do it by IP because the user keeps changing their IP within our subnet.
Any helpful comments would be appreciated.
Thanks!
Thank you so much for the helpful comments. Is it then not at all possible to block access to the WAN if all I've got is a MAC address? I can't do it by IP because the user keeps changing their IP within our subnet.
Any helpful comments would be appreciated.
Thanks!
Get a FREE t-shirt when you ask your first question.
We believe in human intelligence. Our moderation policy strictly prohibits the use of LLM content in our Q&A threads.
MAC addresses can be changed on many NICs now also, so filtering by MAC address doesn't really solve the core problem. Â In my opinion, what you really need to do is get control of the PCs on your network. Â
Here are a couple of ideas of the top of my head that you may want to look into:
* Restrict the users' permissions on the client machines to not allow them to change the IP address.
* If you use DHCP, then use reservations. Â This way the client always gets the same address.
* Implement a proxy or content server that requires users the authenticate before they can access the Internet (e.g. Websense, SurfControl or Microsoft Proxy).
I'm sure there are lots other things you could try too. Â Maybe after I get some sleep (I've been up for 37 hours now), I can come up with some more.
Hope it helps. Â Good luck!
Here are a couple of ideas of the top of my head that you may want to look into:
* Restrict the users' permissions on the client machines to not allow them to change the IP address.
* If you use DHCP, then use reservations. Â This way the client always gets the same address.
* Implement a proxy or content server that requires users the authenticate before they can access the Internet (e.g. Websense, SurfControl or Microsoft Proxy).
I'm sure there are lots other things you could try too. Â Maybe after I get some sleep (I've been up for 37 hours now), I can come up with some more.
Hope it helps. Â Good luck!
Hi Alavan,
Find the below comand to create and apply a Standard access-list for 48-bit mac address.
access-list 700 deny 0800.2000.0000 Â 0000.00FF.FFFF
access-list 700 permit 0000.0000.0000 Â FFFF.FFFF.FFFF
interface ethernet 1
bridge-group 1 input-address-list 700
if u want to restrict on ouput traffic then can use the output-address-list on the bridge-group command.
Hope this will help u. Good Luck!.
Jv.
Find the below comand to create and apply a Standard access-list for 48-bit mac address.
access-list 700 deny 0800.2000.0000 Â 0000.00FF.FFFF
access-list 700 permit 0000.0000.0000 Â FFFF.FFFF.FFFF
interface ethernet 1
bridge-group 1 input-address-list 700
if u want to restrict on ouput traffic then can use the output-address-list on the bridge-group command.
Hope this will help u. Good Luck!.
Jv.
ajvel,
I was optimistic, but it didn't work. The access-list goes in fine and it appears that the interface accepts the command, but it doesn't show in the config after it's applied to the interface and I could still ping this guy.
Any other ideas?
I was optimistic, but it didn't work. The access-list goes in fine and it appears that the interface accepts the command, but it doesn't show in the config after it's applied to the interface and I could still ping this guy.
Any other ideas?
EARN REWARDS FOR ASKING, ANSWERING, AND MORE.
Earn free swag for participating on the platform.
ASKER CERTIFIED SOLUTION
membership
Log in or create a free account to see answer.
Signing up is free and takes 30 seconds. No credit card required.
Yes, unfortunately, there are always several IP's available to steal. On other networks we have managed switches so I can track thieves by their MAC.
On this property, however, there are only dumb hubs between all the users and the router.
So, as long as it's really not possible to filter by MAC addresses on the router, I'll close the ticket.
Thanks.
On this property, however, there are only dumb hubs between all the users and the router.
So, as long as it's really not possible to filter by MAC addresses on the router, I'll close the ticket.
Thanks.
Thank you for the points alavan, again until those several available ip addresses are used, you may wish to block them with extended access-lists on the router, then even if stolen they can't be used. Again thank you and good luck, worker
Routers
--
Questions
--
Followers
Top Experts
A router is a networking device that forwards data packets between computer networks. Routers perform the "traffic directing" functions on the Internet. The most familiar type of routers are home and small office cable or DSL routers that simply pass data, such as web pages, email, IM, and videos between computers and the Internet. More sophisticated routers, such as enterprise routers, connect large business or ISP networks up to the powerful core routers that forward data at high speed along the optical fiber lines of the Internet backbone. Though routers are typically dedicated hardware devices, use of software-based routers has grown increasingly common.