Cisco access-list 700-799

If I wanted to block one or two MAC addresses on the LAN (even though they have a valid IP), what's the syntax? For example, let's say the MAC address is 0090.aabb.0101. What's the syntax to prevent this MAC from getting out?
Who is Participating?
ChriskohnConnect With a Mentor Commented:
Hi alavan:

I agree with mbruner's comments above and have reviewed the others as well.

Perhaps an easier way to restrict this individual's outbound access from your LAN via your router would be to tighten up the range of IP addresses available to your LAN hosts. Then you can of course use an extended ip access-control list preventing any individual's ip.

It sounds as though an individual is changing his static ip addressing at will. You could make all LAN hosts static or more strictly limit the dhcp range available. You can achieve this by manipulation of your addressing and subnet mask. If you carefully limit the number of possible addresses available, this could make it impossible for him to change his static ip address without creating a conflict in the LAN and standing out like a sore thumb, thus bringing attention to himself.

This whole problem sounds like an Administrative Policy change on your network is in order. It is, after all, for circumstances such as this that most networks have strict policies on use of ip addresses, allowing only one per host to be available. The reservation of a few extra that can be denied until needed is always possible as well.

Unless of course as mbruner points out, you wish to implement more expensive measures like a proxy server or something, your company's administrative policy with regard to networking probably needs looking into.

Good luck, worker
Here is an excerpt from a Cisco doc which gives you an example.

The following is an example that controls which traffic from Macintosh computers on the remote Ethernet LAN reaches the core router:

access-list 710 permit 0800.0298.0000 0000.0000.FFFF
access-list 710 deny 0800.0276.2917 0000.0000.0000
access-list 710 permit 0800.0000.0000 0000.FFFF.FFFF
interface lex 0
 lex input-address-list 710

The first line of this access list permits traffic from any Macintosh whose MAC address starts with 0800.0298. The remaining two octets in the MAC address can be any value because the mask for these octets is FFFF ("don't care" bits).

The second line specifically rejects all traffic originating from a Macintosh with the MAC address of 0800.0276.2917. Note that none of the mask bits are "don't care" bits.

The third line specifically permits all traffic from other Macintoshes whose MAC addresses start with 0800. Note that in the mask, the "don't care" bits are the rest of the address.

At the end of the list is an implicit "deny everything" entry, meaning that any address that does not match an address or address group on the list is rejected.

alavanAuthor Commented:
O.K., I tried adding a

access-list 700 permit any

after denying the MAC and it didn't like the "any" part. How do I finish off this access list so that all other MAC addresses are allowed?
Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

You can't use the "any" keyword in a mac address access list and I believe that this should work.

access-list 700 permit FF.FF.FF.FF.FF.FF

The FF means that is doesn't care what the mac address is.
alavanAuthor Commented:
O.K., it took that. Now, considering that I want to apply this to FastEthernet0, what's the command to apply the list to the interface? It's not the same as a basic access-list.

Dear alavan,

The MAC access-lists are generally for use with IBM protocols.  They won't work on general layer-2 protocols as you wish them to.  They are for things like DLSw and RSRB.

Remember this:  layer-2 addresses are not passed through layer-3 hops.  So for filtering purposes, there is little value in a layer-2 address filter, as most devices one would wish to filter are going to contain the layer-2 address of the upstream router, making them all look the same from a layer-2 perspective.

In IBM protocols, however, the layer-2 address is maintained (since these protocols are normally non-routable layer-2 protocols!) and then encapsulated for RSRB and DLSw.  Cisco devices can examine the address within the encapsulation and filter accordingly with a 700-level MAC access-list.

For Apple, you can use the Appletalk access-list numbers from 600 to 699 and filter by cable range, zone, etc.

alavanAuthor Commented:

Thank you so much for the helpful comments. Is it then not at all possible to block access to the WAN if all I've got is a MAC address? I can't do it by IP because the user keeps changing their IP within our subnet.

Any helpful comments would be appreciated.

MAC addresses can be changed on many NICs now also, so filtering by MAC address doesn't really solve the core problem.  In my opinion, what you really need to do is get control of the PCs on your network.  

Here are a couple of ideas of the top of my head that you may want to look into:
* Restrict the users' permissions on the client machines to not allow them to change the IP address.
* If you use DHCP, then use reservations.  This way the client always gets the same address.
* Implement a proxy or content server that requires users the authenticate before they can access the Internet (e.g. Websense, SurfControl or Microsoft Proxy).

I'm sure there are lots other things you could try too.  Maybe after I get some sleep (I've been up for 37 hours now), I can come up with some more.

Hope it helps.  Good luck!
Hi Alavan,

Find the below comand to create and apply a Standard access-list for 48-bit mac address.

access-list 700 deny 0800.2000.0000  0000.00FF.FFFF
access-list 700 permit 0000.0000.0000  FFFF.FFFF.FFFF

interface ethernet 1
bridge-group 1 input-address-list 700

if u want to restrict on ouput traffic then can use the output-address-list on the bridge-group command.

Hope this will help u. Good Luck!.


alavanAuthor Commented:

I was optimistic, but it didn't work. The access-list goes in fine and it appears that the interface accepts the command, but it doesn't show in the config after it's applied to the interface and I could still ping this guy.

Any other ideas?
alavanAuthor Commented:
Yes, unfortunately, there are always several IP's available to steal. On other networks we have managed switches so I can track thieves by their MAC.

On this property, however, there are only dumb hubs between all the users and the router.

So, as long as it's really not possible to filter by MAC addresses on the router, I'll close the ticket.

Thank you for the points alavan, again until those several available ip addresses are used, you may wish to block them with extended access-lists on the router, then even if stolen they can't be used. Again thank you and good luck, worker
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.