I want to be able to apply a MAC address access list on an 806 router. I'm using ethernet on the inside and a static IP delivered by ethernet from a frac T1 for the internet interface. The best possible scenario would be to apply it to the E0 (internal) interface so only known clients could get an IP address (using the dhcp server function of the router). Alternatively, it could be applied to E1 (external) interface so only known clients could get out. I created an access list like the following:
I tried to apply it to the E0 interface with the command:
access-expresssion in smac (701)
Nothing seemed to happen. I also tried the same command with out instead...nothing. Is there another way to enable this access list on the inside? Can it be enabled on the internet interface? Can it be applied at all?
Thanks in advance.
Routers
Last Comment
fletcherandrew
8/22/2022 - Mon
Les Moore
apply it to the interface with this command:
ip access-group 701 in
To see if it is being effective:
router#show ip access-list 701
I tried that, but since it's not an IP access list I don't have the option to apply it with the ip access-group command. Any other ideas? As an alternative, is there a way to create a reservation for a certain mac address in the dhcp server on the router?
The only reason I'm trying is I have a guy in one of those corporate office suite type of environments. The IT folks there can't seem to get him going with our VPN client (it's hard when they don't know a thing about their infrastructure or networking) so I suggested a static IP and an 806. The security services team at my workplace was worried about someone plugging into the router, getting an IP address, and connecting to our internal network. I suggested the switch idea as well, but cost seems to be a pretty large issue.
I looked on Cisco.com for more info about source-bridge routing but couldn't find much. Is source-bridge routing just for FDDI? That seems to be the only way to even have the option to apply the 701 access list (the access-expression command).
ip access-group 701 in
To see if it is being effective:
router#show ip access-list 701
look for the (hits) counters
Ref:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/secur_c/scprt3/scdacls.htm