?
Solved

Apply MAC access list on Cisco 806

Posted on 2003-02-19
4
Medium Priority
?
501 Views
Last Modified: 2007-12-19
I want to be able to apply a MAC address access list on an 806 router.  I'm using ethernet on the inside and a static IP delivered by ethernet from a frac T1 for the internet interface.  The best possible scenario would be to apply it to the E0 (internal) interface so only known clients could get an IP address (using the dhcp server function of the router).  Alternatively, it could be applied to E1 (external) interface so only known clients could get out.  I created an access list like the following:

access-list 701 permit H.H.H FFFF.FFFF.FFFF
access-list 701 deny 0000.0000.0000 FFFF.FFFF.FFFF

I tried to apply it to the E0 interface with the command:

access-expresssion in smac (701)

Nothing seemed to happen.  I also tried the same command with out instead...nothing.  Is there another way to enable this access list on the inside?  Can it be enabled on the internet interface?  Can it be applied at all?

Thanks in advance.  
0
Comment
Question by:fletcherandrew
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 7988079
apply it to the interface with this command:

ip access-group 701 in

To see if it is being effective:
router#show ip access-list 701

look for the (hits) counters

Ref:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/secur_c/scprt3/scdacls.htm
0
 

Author Comment

by:fletcherandrew
ID: 7993865
I tried that, but since it's not an IP access list I don't have the option to apply it with the ip access-group command.  Any other ideas?  As an alternative, is there a way to create a reservation for a certain mac address in the dhcp server on the router?

Thanks.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 200 total points
ID: 7997161
Doh! Of course...
The dhcp server in the router does not have the facility to reserve leases based on mac addresses..

I have to say that as many networks as I have worked on (I consult for a living), I have never had anyone try to manage access through Mac-address filters. Although I can see the utility of it, and most wireless access-points have the capability to do mac address filtering, I don't know exactly how to do it on a router.

If you're big enough to need to worry about "rougue" users hopping onto your network and getting out to the internet..... well, if someone does get on the inside of your network, letting them out to the Internet is the least of your worries.

If you have a Cisco switch, you can setup several things to do port-level access control, but a router is designed to route IP packets, not block by Mac address.

I'll keep digging, but I don't hold out much hope...

 
0
 

Author Comment

by:fletcherandrew
ID: 7999439
The only reason I'm trying is I have a guy in one of those corporate office suite type of environments.  The IT folks there can't seem to get him going with our VPN client (it's hard when they don't know a thing about their infrastructure or networking) so I suggested a static IP and an 806.  The security services team at my workplace was worried about someone plugging into the router, getting an IP address, and connecting to our internal network.  I suggested the switch idea as well, but cost seems to be a pretty large issue.  

I looked on Cisco.com for more info about source-bridge routing but couldn't find much.  Is source-bridge routing just for FDDI?  That seems to be the only way to even have the option to apply the 701 access list (the access-expression command).  

I really appreciate your help.
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Ready to improve network connectivity? Watch this webinar to learn how SD-WANs and a one-click instant connect tool can boost provisions, deployment, and management of your cloud connection.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

New Server 172.16.200.2  was moved from behind Router R2 f0/1 to behind router R1 int f/01 and has now address 172.16.100.2. But we want users still to be able to connected to it by old IP. How to do it ? We can used destination NAT (DNAT).  In DNAT…
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question