asked on
Apply MAC access list on Cisco 806
I want to be able to apply a MAC address access list on an 806 router. I'm using ethernet on the inside and a static IP delivered by ethernet from a frac T1 for the internet interface. The best possible scenario would be to apply it to the E0 (internal) interface so only known clients could get an IP address (using the dhcp server function of the router). Alternatively, it could be applied to E1 (external) interface so only known clients could get out. I created an access list like the following:
access-list 701 permit H.H.H FFFF.FFFF.FFFF
access-list 701 deny 0000.0000.0000 FFFF.FFFF.FFFF
I tried to apply it to the E0 interface with the command:
access-expresssion in smac (701)
Nothing seemed to happen. I also tried the same command with out instead...nothing. Is there another way to enable this access list on the inside? Can it be enabled on the internet interface? Can it be applied at all?
Thanks in advance.
access-list 701 permit H.H.H FFFF.FFFF.FFFF
access-list 701 deny 0000.0000.0000 FFFF.FFFF.FFFF
I tried to apply it to the E0 interface with the command:
access-expresssion in smac (701)
Nothing seemed to happen. I also tried the same command with out instead...nothing. Is there another way to enable this access list on the inside? Can it be enabled on the internet interface? Can it be applied at all?
Thanks in advance.
Routers
Last Comment
fletcherandrew
ASKER
I tried that, but since it's not an IP access list I don't have the option to apply it with the ip access-group command. Any other ideas? As an alternative, is there a way to create a reservation for a certain mac address in the dhcp server on the router?
Thanks.
Thanks.
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
The only reason I'm trying is I have a guy in one of those corporate office suite type of environments. The IT folks there can't seem to get him going with our VPN client (it's hard when they don't know a thing about their infrastructure or networking) so I suggested a static IP and an 806. The security services team at my workplace was worried about someone plugging into the router, getting an IP address, and connecting to our internal network. I suggested the switch idea as well, but cost seems to be a pretty large issue.
I looked on Cisco.com for more info about source-bridge routing but couldn't find much. Is source-bridge routing just for FDDI? That seems to be the only way to even have the option to apply the 701 access list (the access-expression command).
I really appreciate your help.
I looked on Cisco.com for more info about source-bridge routing but couldn't find much. Is source-bridge routing just for FDDI? That seems to be the only way to even have the option to apply the 701 access list (the access-expression command).
I really appreciate your help.
ip access-group 701 in
To see if it is being effective:
router#show ip access-list 701
look for the (hits) counters
Ref:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/secur_c/scprt3/scdacls.htm