Solved

Cisco access-list 700-799

Posted on 2002-07-08
12
4,308 Views
Last Modified: 2010-08-05
If I wanted to block one or two MAC addresses on the LAN (even though they have a valid IP), what's the syntax? For example, let's say the MAC address is 0090.aabb.0101. What's the syntax to prevent this MAC from getting out?
0
Comment
Question by:alavan
  • 5
  • 2
  • 2
  • +3
12 Comments
 
LVL 17

Expert Comment

by:mikecr
ID: 7138244
Here is an excerpt from a Cisco doc which gives you an example.

The following is an example that controls which traffic from Macintosh computers on the remote Ethernet LAN reaches the core router:

access-list 710 permit 0800.0298.0000 0000.0000.FFFF
access-list 710 deny 0800.0276.2917 0000.0000.0000
access-list 710 permit 0800.0000.0000 0000.FFFF.FFFF
interface lex 0
 lex input-address-list 710

The first line of this access list permits traffic from any Macintosh whose MAC address starts with 0800.0298. The remaining two octets in the MAC address can be any value because the mask for these octets is FFFF ("don't care" bits).

The second line specifically rejects all traffic originating from a Macintosh with the MAC address of 0800.0276.2917. Note that none of the mask bits are "don't care" bits.

The third line specifically permits all traffic from other Macintoshes whose MAC addresses start with 0800. Note that in the mask, the "don't care" bits are the rest of the address.

At the end of the list is an implicit "deny everything" entry, meaning that any address that does not match an address or address group on the list is rejected.

0
 
LVL 1

Author Comment

by:alavan
ID: 7138286
O.K., I tried adding a

access-list 700 permit any

after denying the MAC and it didn't like the "any" part. How do I finish off this access list so that all other MAC addresses are allowed?
0
 
LVL 17

Expert Comment

by:mikecr
ID: 7138454
You can't use the "any" keyword in a mac address access list and I believe that this should work.

access-list 700 permit FF.FF.FF.FF.FF.FF

The FF means that is doesn't care what the mac address is.
0
 
LVL 1

Author Comment

by:alavan
ID: 7138513
O.K., it took that. Now, considering that I want to apply this to FastEthernet0, what's the command to apply the list to the interface? It's not the same as a basic access-list.

Thanks.
0
 
LVL 3

Expert Comment

by:pharaoh
ID: 7138844
Dear alavan,

The MAC access-lists are generally for use with IBM protocols.  They won't work on general layer-2 protocols as you wish them to.  They are for things like DLSw and RSRB.

Remember this:  layer-2 addresses are not passed through layer-3 hops.  So for filtering purposes, there is little value in a layer-2 address filter, as most devices one would wish to filter are going to contain the layer-2 address of the upstream router, making them all look the same from a layer-2 perspective.

In IBM protocols, however, the layer-2 address is maintained (since these protocols are normally non-routable layer-2 protocols!) and then encapsulated for RSRB and DLSw.  Cisco devices can examine the address within the encapsulation and filter accordingly with a 700-level MAC access-list.

For Apple, you can use the Appletalk access-list numbers from 600 to 699 and filter by cable range, zone, etc.

J.
0
 
LVL 1

Author Comment

by:alavan
ID: 7138912
Pharoah,

Thank you so much for the helpful comments. Is it then not at all possible to block access to the WAN if all I've got is a MAC address? I can't do it by IP because the user keeps changing their IP within our subnet.

Any helpful comments would be appreciated.

Thanks!
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 3

Expert Comment

by:mbruner
ID: 7139210
MAC addresses can be changed on many NICs now also, so filtering by MAC address doesn't really solve the core problem.  In my opinion, what you really need to do is get control of the PCs on your network.  

Here are a couple of ideas of the top of my head that you may want to look into:
* Restrict the users' permissions on the client machines to not allow them to change the IP address.
* If you use DHCP, then use reservations.  This way the client always gets the same address.
* Implement a proxy or content server that requires users the authenticate before they can access the Internet (e.g. Websense, SurfControl or Microsoft Proxy).

I'm sure there are lots other things you could try too.  Maybe after I get some sleep (I've been up for 37 hours now), I can come up with some more.

Hope it helps.  Good luck!
0
 
LVL 1

Expert Comment

by:ajvel
ID: 7143765
Hi Alavan,

Find the below comand to create and apply a Standard access-list for 48-bit mac address.

access-list 700 deny 0800.2000.0000  0000.00FF.FFFF
access-list 700 permit 0000.0000.0000  FFFF.FFFF.FFFF

interface ethernet 1
bridge-group 1 input-address-list 700

if u want to restrict on ouput traffic then can use the output-address-list on the bridge-group command.

Hope this will help u. Good Luck!.

Jv.



0
 
LVL 1

Author Comment

by:alavan
ID: 7144010
ajvel,

I was optimistic, but it didn't work. The access-list goes in fine and it appears that the interface accepts the command, but it doesn't show in the config after it's applied to the interface and I could still ping this guy.

Any other ideas?
0
 
LVL 1

Accepted Solution

by:
Chriskohn earned 100 total points
ID: 7239313
Hi alavan:

I agree with mbruner's comments above and have reviewed the others as well.

Perhaps an easier way to restrict this individual's outbound access from your LAN via your router would be to tighten up the range of IP addresses available to your LAN hosts. Then you can of course use an extended ip access-control list preventing any individual's ip.

It sounds as though an individual is changing his static ip addressing at will. You could make all LAN hosts static or more strictly limit the dhcp range available. You can achieve this by manipulation of your addressing and subnet mask. If you carefully limit the number of possible addresses available, this could make it impossible for him to change his static ip address without creating a conflict in the LAN and standing out like a sore thumb, thus bringing attention to himself.

This whole problem sounds like an Administrative Policy change on your network is in order. It is, after all, for circumstances such as this that most networks have strict policies on use of ip addresses, allowing only one per host to be available. The reservation of a few extra that can be denied until needed is always possible as well.

Unless of course as mbruner points out, you wish to implement more expensive measures like a proxy server or something, your company's administrative policy with regard to networking probably needs looking into.

Good luck, worker
0
 
LVL 1

Author Comment

by:alavan
ID: 7239381
Yes, unfortunately, there are always several IP's available to steal. On other networks we have managed switches so I can track thieves by their MAC.

On this property, however, there are only dumb hubs between all the users and the router.

So, as long as it's really not possible to filter by MAC addresses on the router, I'll close the ticket.

Thanks.
0
 
LVL 1

Expert Comment

by:Chriskohn
ID: 7239493
Thank you for the points alavan, again until those several available ip addresses are used, you may wish to block them with extended access-lists on the router, then even if stolen they can't be used. Again thank you and good luck, worker
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

In a WLAN, anything you broadcast over the air can be intercepted.  By default a wireless network is wide open to all until security is configured. Even when security is configured information can still be intercepted! It is very important that you …
There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now