Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 509
  • Last Modified:

Apply MAC access list on Cisco 806

I want to be able to apply a MAC address access list on an 806 router.  I'm using ethernet on the inside and a static IP delivered by ethernet from a frac T1 for the internet interface.  The best possible scenario would be to apply it to the E0 (internal) interface so only known clients could get an IP address (using the dhcp server function of the router).  Alternatively, it could be applied to E1 (external) interface so only known clients could get out.  I created an access list like the following:

access-list 701 permit H.H.H FFFF.FFFF.FFFF
access-list 701 deny 0000.0000.0000 FFFF.FFFF.FFFF

I tried to apply it to the E0 interface with the command:

access-expresssion in smac (701)

Nothing seemed to happen.  I also tried the same command with out instead...nothing.  Is there another way to enable this access list on the inside?  Can it be enabled on the internet interface?  Can it be applied at all?

Thanks in advance.  
  • 2
  • 2
1 Solution
apply it to the interface with this command:

ip access-group 701 in

To see if it is being effective:
router#show ip access-list 701

look for the (hits) counters

fletcherandrewAuthor Commented:
I tried that, but since it's not an IP access list I don't have the option to apply it with the ip access-group command.  Any other ideas?  As an alternative, is there a way to create a reservation for a certain mac address in the dhcp server on the router?

Doh! Of course...
The dhcp server in the router does not have the facility to reserve leases based on mac addresses..

I have to say that as many networks as I have worked on (I consult for a living), I have never had anyone try to manage access through Mac-address filters. Although I can see the utility of it, and most wireless access-points have the capability to do mac address filtering, I don't know exactly how to do it on a router.

If you're big enough to need to worry about "rougue" users hopping onto your network and getting out to the internet..... well, if someone does get on the inside of your network, letting them out to the Internet is the least of your worries.

If you have a Cisco switch, you can setup several things to do port-level access control, but a router is designed to route IP packets, not block by Mac address.

I'll keep digging, but I don't hold out much hope...

fletcherandrewAuthor Commented:
The only reason I'm trying is I have a guy in one of those corporate office suite type of environments.  The IT folks there can't seem to get him going with our VPN client (it's hard when they don't know a thing about their infrastructure or networking) so I suggested a static IP and an 806.  The security services team at my workplace was worried about someone plugging into the router, getting an IP address, and connecting to our internal network.  I suggested the switch idea as well, but cost seems to be a pretty large issue.  

I looked on Cisco.com for more info about source-bridge routing but couldn't find much.  Is source-bridge routing just for FDDI?  That seems to be the only way to even have the option to apply the 701 access list (the access-expression command).  

I really appreciate your help.

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now