How do I configure MAC address filtering on Cisco 1721 router?

Our company has a Cisco 1721 router in which I have setup remote users IP Addresses in the router SDM firewall configuration to pass thru to our separate VPN server machine.  The problem is my remote users' ISP's change their IP Addresses randomly which causes me to go back to the router and input the new IP so they can get connected.  Is there a way to use the MAC ID of my users' machines instead of the IP Address?  I read somewhere that it can be done using ACL, but not sure on how to go about doing that?  Any help is greatly appreciated.
dynamictechincAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Don JohnstonInstructorCommented:
That's not going to help. Layer 2 headers (where MAC addresses are located) are stripped off and recreated every time the packet passes through a router.
0
dnairnsCommented:
You could also use a dynamic ACL. It requires the user to be input into the router and they would have to telnet to the router each time, but it will automatically update the ACL with the Client PC's IP address permitting access. This may also be a better option as it is very likely that the packet you get to your router, has one of the client's ISP's router's MAC addresses. I am not currently aware of any methodology where you can filter traffic by MAC address.
 
The other benefit of using a Dynamic ACL is that they are not restricted to their current PC, and it also deletes the access after a finite period of time, closing the potential security hole.
0
dnairnsCommented:
The fact that the MAC address is stripped every time it goes through a router, which it does at each ISP that it passes through. The best option is to use a Lock-and-Key Access List (Dynamic ACL). Cisco has a very good document on how to do this, and if you are good at scripting, you can write a script file to have their computer telnet in, pass the credentials, and then start an RDP session to the host, automating the entire process.
But to get you started on the router config side of things you will want to use this guide from cisco. It is a walkthrough to get the router configured. Note you need to be using IOS version 11.1 or later.
http://www.cisco.com/en/US/docs/ios/11_3/security/configuration/guide/sclock.html
Hope this is helpful. i know it is a little bit more complex, and time consuming, but if you get more hosts and they are changing frequently this will lower your TCO over time.
-D
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.