Avatar of fletcherandrew
fletcherandrew
 asked on

Apply MAC access list on Cisco 806

I want to be able to apply a MAC address access list on an 806 router.  I'm using ethernet on the inside and a static IP delivered by ethernet from a frac T1 for the internet interface.  The best possible scenario would be to apply it to the E0 (internal) interface so only known clients could get an IP address (using the dhcp server function of the router).  Alternatively, it could be applied to E1 (external) interface so only known clients could get out.  I created an access list like the following:

access-list 701 permit H.H.H FFFF.FFFF.FFFF
access-list 701 deny 0000.0000.0000 FFFF.FFFF.FFFF

I tried to apply it to the E0 interface with the command:

access-expresssion in smac (701)

Nothing seemed to happen.  I also tried the same command with out instead...nothing.  Is there another way to enable this access list on the inside?  Can it be enabled on the internet interface?  Can it be applied at all?

Thanks in advance.  
Routers

Avatar of undefined
Last Comment
fletcherandrew

8/22/2022 - Mon
Les Moore

apply it to the interface with this command:

ip access-group 701 in

To see if it is being effective:
router#show ip access-list 701

look for the (hits) counters

Ref:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/secur_c/scprt3/scdacls.htm
fletcherandrew

ASKER
I tried that, but since it's not an IP access list I don't have the option to apply it with the ip access-group command.  Any other ideas?  As an alternative, is there a way to create a reservation for a certain mac address in the dhcp server on the router?

Thanks.
ASKER CERTIFIED SOLUTION
Les Moore

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
fletcherandrew

ASKER
The only reason I'm trying is I have a guy in one of those corporate office suite type of environments.  The IT folks there can't seem to get him going with our VPN client (it's hard when they don't know a thing about their infrastructure or networking) so I suggested a static IP and an 806.  The security services team at my workplace was worried about someone plugging into the router, getting an IP address, and connecting to our internal network.  I suggested the switch idea as well, but cost seems to be a pretty large issue.  

I looked on Cisco.com for more info about source-bridge routing but couldn't find much.  Is source-bridge routing just for FDDI?  That seems to be the only way to even have the option to apply the 701 access list (the access-expression command).  

I really appreciate your help.
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck