Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > MAC based ACL on 2611

Reply
Thread Tools

MAC based ACL on 2611

 
 
Gordon Montgomery
Guest
Posts: n/a
 
      12-22-2003
Is it possible to do MAC-based filtering on a 2611 running
12.2(1) ?

Thanks for any help.


Gordon Montgomery
Living Scriptures, Inc
http://www.velocityreviews.com/forums/(E-Mail Removed) (anti spam - replace lsi with livingscriptures)
(801) 627-2000
 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      12-22-2003
In article <(E-Mail Removed)>,
Gordon Montgomery <(E-Mail Removed)> wrote:
:Is it possible to do MAC-based filtering on a 2611 running
:12.2(1) ?

Only in bridging mode as far as I recall.

Generally speaking, the Cisco routers only allow MAC filtering on ports
configured as bridges. The only Cisco systems that I have found so far
that allow further refinement are the Cat2960/ Cat3550/ Cat3750
"multilayer switches", which allow you (if I recall correctly) to apply
IP and MAC filters at the switchport level. The Cat3550 and Cat3750
also allow routing between VLANs with IP-level ACLs only permitted at
the VLAN level.

I have formed the impression that this filtering refinement is related
to 802.11x, which has to do with port-level authentication via
RADIUS server (and also allows for port-level mobility -- e.g.,
useful in moving between wireless Access Points.) If I am correct
in my impression, then improved MAC-level filtering might migrate
onto other devices relatively soon... but not necessarily the 2611.
--
I predict that you will not trust this prediction.
 
Reply With Quote
 
 
 
 
Gordon Montgomery
Guest
Posts: n/a
 
      12-23-2003
In article <bs7goo$d62$(E-Mail Removed)>, http://www.velocityreviews.com/forums/(E-Mail Removed)-cnrc.gc.ca (Walter Roberson) wrote:
>In article <(E-Mail Removed)>,
>Gordon Montgomery <(E-Mail Removed)> wrote:
>:Is it possible to do MAC-based filtering on a 2611 running
>:12.2(1) ?
>
>Only in bridging mode as far as I recall.
>
>Generally speaking, the Cisco routers only allow MAC filtering on ports
>configured as bridges. The only Cisco systems that I have found so far
>that allow further refinement are the Cat2960/ Cat3550/ Cat3750
>"multilayer switches", which allow you (if I recall correctly) to apply
>IP and MAC filters at the switchport level. The Cat3550 and Cat3750
>also allow routing between VLANs with IP-level ACLs only permitted at
>the VLAN level.
>
>I have formed the impression that this filtering refinement is related
>to 802.11x, which has to do with port-level authentication via
>RADIUS server (and also allows for port-level mobility -- e.g.,
>useful in moving between wireless Access Points.) If I am correct
>in my impression, then improved MAC-level filtering might migrate
>onto other devices relatively soon... but not necessarily the 2611.


Well, not what I wanted to hear, but I suspected as much.
Thanks.

Gordon
 
Reply With Quote
 
Hansang Bae
Guest
Posts: n/a
 
      12-23-2003
In article <(E-Mail Removed)>, (E-Mail Removed) says...
> Is it possible to do MAC-based filtering on a 2611 running
> 12.2(1) ?


Yes....but (there's always a but....) only if you are bridging. MAC
based ACLs do not work if you are routing. Perhaps there's another
solution if you state the problem.


--

hsb

"Somehow I imagined this experience would be more rewarding" Calvin
*************** USE ROT13 TO SEE MY EMAIL ADDRESS ****************
************************************************** ******************
Due to the volume of email that I receive, I may not not be able to
reply to emails sent to my account. Please post a followup instead.
************************************************** ******************
 
Reply With Quote
 
Gordon Montgomery
Guest
Posts: n/a
 
      12-23-2003
In article <(E-Mail Removed)>, Hansang Bae <(E-Mail Removed)> wrote:
>In article <(E-Mail Removed)>, (E-Mail Removed) says...
>> Is it possible to do MAC-based filtering on a 2611 running
>> 12.2(1) ?

>
>Yes....but (there's always a but....) only if you are bridging. MAC
>based ACLs do not work if you are routing. Perhaps there's another
>solution if you state the problem.
>
>


I am sure that there is another solution.. I am just not educated enough to
implement it.

Basically, I have a network that lets just about anything out, but not much
in. I am just using plain ACL's even though I have the IPw/FW IOS. I need to
block just one user from exiting our network, however he has legitimate needs
to access the internal network. I was just using an ACL to block his IP,
which worked for over a year, but he has learned to change his own IP. I
suppose I could acquire a small SOHO router and use NAT on the side his
machine is connected to, and block the _public_ ip of the router on the border
router. Does that make sense and would it work? My other problem is that I
have no budget for this, so any ideas using spare PC parts would help.

Thanks.

Gordon Montgomery
Living Scriptures, Inc
(E-Mail Removed) (anti spam - replace lsi with livingscriptures)
(801) 627-2000
 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      12-24-2003
In article <(E-Mail Removed)>,
Gordon Montgomery <(E-Mail Removed)> wrote:
:I am sure that there is another solution.. I am just not educated enough to
:implement it.

:Basically, I have a network that lets just about anything out, but not much
:in. I am just using plain ACL's even though I have the IPw/FW IOS. I need to
:block just one user from exiting our network, however he has legitimate needs
:to access the internal network. I was just using an ACL to block his IP,
:which worked for over a year, but he has learned to change his own IP.

1) Write a formal memo announcing that it is not acceptable for users
to change their IP addresses without authorization from the support
staff.

2) Include specific and progressive penalties in the formal memo.

3) Offer user a choice of written acknowledgement of the policy
or of quitting.

4) Monitor.

5) If user transgresses policy, apply penalty phase of policy.

6) If you haven't fired user yet (or barred them from using
all computer equipment), go back to monitoring phase. Repeat
until user stops changing IP address or user is gone.

:I suppose I could acquire a small SOHO router and use NAT on the side his
:machine is connected to, and block the _public_ ip of the router on the border
:router. Does that make sense and would it work?

You could also block all IP addresses not known to be authorized
to go out.

In my opinion, though, your technology in this case should be
concentrated on detection, not on prevention. Prevention is
a social/policy problem.
--
Beware of bugs in the above code; I have only proved it correct,
not tried it. -- Donald Knuth
 
Reply With Quote
 
Hansang Bae
Guest
Posts: n/a
 
      12-24-2003
In article <(E-Mail Removed)>, (E-Mail Removed) says...
> I am sure that there is another solution.. I am just not educated enough to
> implement it.
> Basically, I have a network that lets just about anything out, but not much
> in. I am just using plain ACL's even though I have the IPw/FW IOS. I need to
> block just one user from exiting our network, however he has legitimate needs
> to access the internal network. I was just using an ACL to block his IP,
> which worked for over a year, but he has learned to change his own IP. I
> suppose I could acquire a small SOHO router and use NAT on the side his
> machine is connected to, and block the _public_ ip of the router on the border
> router. Does that make sense and would it work? My other problem is that I
> have no budget for this, so any ideas using spare PC parts would help.


You could do one of two things. Explicit block all "unused" IP
addresses. This would be an easy thing to do.

Or you can use a spare machine and load it up with unused IPs. When the
other user fires up his/her PC, it'll throw up a duplicate IP message.

MAC acl won't work since it's trivial to change the MAC address as well.
And you really don't want the hassle of using port-based security.

Finally, warn the user about your A.U.P.


--

hsb

"Somehow I imagined this experience would be more rewarding" Calvin
*************** USE ROT13 TO SEE MY EMAIL ADDRESS ****************
************************************************** ******************
Due to the volume of email that I receive, I may not not be able to
reply to emails sent to my account. Please post a followup instead.
************************************************** ******************
 
Reply With Quote
 
Gordon Montgomery
Guest
Posts: n/a
 
      12-26-2003
Thanks for all the good suggestions. I'll be implementing a few of them soon.


Gordon Montgomery
Living Scriptures, Inc
(E-Mail Removed) (anti spam - replace lsi with livingscriptures)
(801) 627-2000
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
deny mac-acl on cisco router 25xx david Cisco 5 07-05-2007 07:44 AM
Dhcp Relay Agent And Acl On Sw 3750, DHCP Relay Agent and ACL on Sw 3750 Vimokh Cisco 3 09-06-2006 02:16 AM
weirdness MAC acl and policy routing RJ45 Cisco 0 03-20-2005 05:26 PM
PIX and MAC-address ACL empedocle Cisco 1 12-09-2004 06:31 PM
PIX - Can extended ACL's be used as crypto ACL's on a PIX Shad T Cisco 0 06-29-2004 06:27 PM



Advertisments