Cisco IOS restrict access by mac address - URGENT!!

How do I construct an access-list to restrict outbound traffic through a 1700 router based on the MAC address?

I have users in multi-unit dwellings sharing an internet connection.  I have set a dhcp lease reservation for my problem user but he seems to have set his IP static.  His connection spews hundreds (thousands) of nat translations, which kills my router.

I can't find anything on this - maybe it's not possible.

HELP
snowdog_2112Asked:
Who is Participating?
 
Don JohnstonConnect With a Mentor InstructorCommented:
It would appear that your IOS feature set doesn't support MAC ACL's. You'll  most likely need the enterprise services feature set.
0
 
memitimCommented:
"deny any host <insert MAC addy here>"
0
 
snowdog_2112Author Commented:
An extended acl uses ip addresses, not MAC addresses.  I'm looking to do something similar to the MAC address filtering you can do on the Cisco wireless access points where you can restrict association based on MAC address.

I already have an access-list on the interface for IP filtering.

Can you be more specific in your example, including access-list name/number, and how to apply that to an interface?
0
The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

 
Don JohnstonInstructorCommented:
Use a 700-799 access-list.
0
 
snowdog_2112Author Commented:
Ok, I understand that it needs to be a 700 access-list.  Can I apply an extended acl *and* the 700 acl to the same interface?  That is my real question.

ip access-list ext in.eth
  permit tcp any any established
  permit icmp any any
  deny tcp any host 192.168.0.1 eq telnet
  permit ip any any

access-list 701 deny 0015.c785.9999   0000.0000.0000
access-list 701 deny 0015.c785.9999   0000.0000.0000
access-list 701 deny 0016.9c95.9999   0000.0000.0000
access-list 701 permit 0000.0000.0000   ffff.ffff.ffff

int fa0
  ip access-group in.eth in
  ip access-group 701 in

I don't think I can do that.  Please let me know my options.
0
 
netnounoursCommented:
Hi,

If 192.168.0.1 is the router, you may filter the access on the vty lines.

access-list 10 permit 192.168.0.100      ( <---- Authorized PC)
line vty 0 4
 access-class 10 in


0
 
snowdog_2112Author Commented:
Just so I understand, you're suggesting I restrict telnet to the router using acl's on the vty lines, and that will free up the fa0 for a 700 mac list acl?

Am I on the right track here?

Thanks!
0
 
netnounoursCommented:
If it is what you intended to do with tyhe acl in.eth, yes, I am suggesting you an alternative.

Did I guess right and 192.168.0.1 is your router ?
0
 
snowdog_2112Author Commented:
Yes, sorry.  192.168.0.1 is fa0, s0 is t1 to internet.

Looking at my acl, I am basically resticting telnet access to the router from the inside (the users are unknown, "public" users I have no control over -- spyware-laden, file-sharing, virus-filled computers).
0
 
Don JohnstonInstructorCommented:
I've never tried it but since the limitation is "one IP access list per interface, per direction" I've guessing a MAC ACL and an IP ACL would be acceptable.
0
 
snowdog_2112Author Commented:
No go.  Can't apply the access-group to the interface directly, nor can you specify the IP access-list as inbound and the MAC access-list as outbound.  Can't choose a 700-799 list.

(config-if)#ip access-group ?
  <1-199>      IP access list (standard or extended)
  <1300-2699>  IP expanded access list (standard or extended)
  WORD         Access-list name

Any other thoughts on how to accomplish this?
0
All Courses

From novice to tech pro — start learning today.