Cisco IOS restrict access by mac address - URGENT!!

How do I construct an access-list to restrict outbound traffic through a 1700 router based on the MAC address?

I have users in multi-unit dwellings sharing an internet connection.  I have set a dhcp lease reservation for my problem user but he seems to have set his IP static.  His connection spews hundreds (thousands) of nat translations, which kills my router.

I can't find anything on this - maybe it's not possible.

HELP
snowdog_2112Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

memitimCommented:
"deny any host <insert MAC addy here>"
0
snowdog_2112Author Commented:
An extended acl uses ip addresses, not MAC addresses.  I'm looking to do something similar to the MAC address filtering you can do on the Cisco wireless access points where you can restrict association based on MAC address.

I already have an access-list on the interface for IP filtering.

Can you be more specific in your example, including access-list name/number, and how to apply that to an interface?
0
Don JohnstonInstructorCommented:
Use a 700-799 access-list.
0
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

snowdog_2112Author Commented:
Ok, I understand that it needs to be a 700 access-list.  Can I apply an extended acl *and* the 700 acl to the same interface?  That is my real question.

ip access-list ext in.eth
  permit tcp any any established
  permit icmp any any
  deny tcp any host 192.168.0.1 eq telnet
  permit ip any any

access-list 701 deny 0015.c785.9999   0000.0000.0000
access-list 701 deny 0015.c785.9999   0000.0000.0000
access-list 701 deny 0016.9c95.9999   0000.0000.0000
access-list 701 permit 0000.0000.0000   ffff.ffff.ffff

int fa0
  ip access-group in.eth in
  ip access-group 701 in

I don't think I can do that.  Please let me know my options.
0
netnounoursCommented:
Hi,

If 192.168.0.1 is the router, you may filter the access on the vty lines.

access-list 10 permit 192.168.0.100      ( <---- Authorized PC)
line vty 0 4
 access-class 10 in


0
snowdog_2112Author Commented:
Just so I understand, you're suggesting I restrict telnet to the router using acl's on the vty lines, and that will free up the fa0 for a 700 mac list acl?

Am I on the right track here?

Thanks!
0
netnounoursCommented:
If it is what you intended to do with tyhe acl in.eth, yes, I am suggesting you an alternative.

Did I guess right and 192.168.0.1 is your router ?
0
snowdog_2112Author Commented:
Yes, sorry.  192.168.0.1 is fa0, s0 is t1 to internet.

Looking at my acl, I am basically resticting telnet access to the router from the inside (the users are unknown, "public" users I have no control over -- spyware-laden, file-sharing, virus-filled computers).
0
Don JohnstonInstructorCommented:
I've never tried it but since the limitation is "one IP access list per interface, per direction" I've guessing a MAC ACL and an IP ACL would be acceptable.
0
snowdog_2112Author Commented:
No go.  Can't apply the access-group to the interface directly, nor can you specify the IP access-list as inbound and the MAC access-list as outbound.  Can't choose a 700-799 list.

(config-if)#ip access-group ?
  <1-199>      IP access list (standard or extended)
  <1300-2699>  IP expanded access list (standard or extended)
  WORD         Access-list name

Any other thoughts on how to accomplish this?
0
Don JohnstonInstructorCommented:
It would appear that your IOS feature set doesn't support MAC ACL's. You'll  most likely need the enterprise services feature set.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.