MAC based ACL on 2611

Discussion in 'Cisco' started by Gordon Montgomery, Dec 22, 2003.

  1. Is it possible to do MAC-based filtering on a 2611 running
    12.2(1) ?

    Thanks for any help.


    Gordon Montgomery
    Living Scriptures, Inc
    (anti spam - replace lsi with livingscriptures)
    (801) 627-2000
    Gordon Montgomery, Dec 22, 2003
    #1
    1. Advertising

  2. In article <>,
    Gordon Montgomery <> wrote:
    :Is it possible to do MAC-based filtering on a 2611 running
    :12.2(1) ?

    Only in bridging mode as far as I recall.

    Generally speaking, the Cisco routers only allow MAC filtering on ports
    configured as bridges. The only Cisco systems that I have found so far
    that allow further refinement are the Cat2960/ Cat3550/ Cat3750
    "multilayer switches", which allow you (if I recall correctly) to apply
    IP and MAC filters at the switchport level. The Cat3550 and Cat3750
    also allow routing between VLANs with IP-level ACLs only permitted at
    the VLAN level.

    I have formed the impression that this filtering refinement is related
    to 802.11x, which has to do with port-level authentication via
    RADIUS server (and also allows for port-level mobility -- e.g.,
    useful in moving between wireless Access Points.) If I am correct
    in my impression, then improved MAC-level filtering might migrate
    onto other devices relatively soon... but not necessarily the 2611.
    --
    I predict that you will not trust this prediction.
    Walter Roberson, Dec 22, 2003
    #2
    1. Advertising

  3. In article <bs7goo$d62$>, -cnrc.gc.ca (Walter Roberson) wrote:
    >In article <>,
    >Gordon Montgomery <> wrote:
    >:Is it possible to do MAC-based filtering on a 2611 running
    >:12.2(1) ?
    >
    >Only in bridging mode as far as I recall.
    >
    >Generally speaking, the Cisco routers only allow MAC filtering on ports
    >configured as bridges. The only Cisco systems that I have found so far
    >that allow further refinement are the Cat2960/ Cat3550/ Cat3750
    >"multilayer switches", which allow you (if I recall correctly) to apply
    >IP and MAC filters at the switchport level. The Cat3550 and Cat3750
    >also allow routing between VLANs with IP-level ACLs only permitted at
    >the VLAN level.
    >
    >I have formed the impression that this filtering refinement is related
    >to 802.11x, which has to do with port-level authentication via
    >RADIUS server (and also allows for port-level mobility -- e.g.,
    >useful in moving between wireless Access Points.) If I am correct
    >in my impression, then improved MAC-level filtering might migrate
    >onto other devices relatively soon... but not necessarily the 2611.


    Well, not what I wanted to hear, but I suspected as much.
    Thanks.

    Gordon
    Gordon Montgomery, Dec 23, 2003
    #3
  4. Gordon Montgomery

    Hansang Bae Guest

    In article <>, says...
    > Is it possible to do MAC-based filtering on a 2611 running
    > 12.2(1) ?


    Yes....but (there's always a but....) only if you are bridging. MAC
    based ACLs do not work if you are routing. Perhaps there's another
    solution if you state the problem.


    --

    hsb

    "Somehow I imagined this experience would be more rewarding" Calvin
    *************** USE ROT13 TO SEE MY EMAIL ADDRESS ****************
    ********************************************************************
    Due to the volume of email that I receive, I may not not be able to
    reply to emails sent to my account. Please post a followup instead.
    ********************************************************************
    Hansang Bae, Dec 23, 2003
    #4
  5. In article <>, Hansang Bae <> wrote:
    >In article <>, says...
    >> Is it possible to do MAC-based filtering on a 2611 running
    >> 12.2(1) ?

    >
    >Yes....but (there's always a but....) only if you are bridging. MAC
    >based ACLs do not work if you are routing. Perhaps there's another
    >solution if you state the problem.
    >
    >


    I am sure that there is another solution.. I am just not educated enough to
    implement it.

    Basically, I have a network that lets just about anything out, but not much
    in. I am just using plain ACL's even though I have the IPw/FW IOS. I need to
    block just one user from exiting our network, however he has legitimate needs
    to access the internal network. I was just using an ACL to block his IP,
    which worked for over a year, but he has learned to change his own IP. I
    suppose I could acquire a small SOHO router and use NAT on the side his
    machine is connected to, and block the _public_ ip of the router on the border
    router. Does that make sense and would it work? My other problem is that I
    have no budget for this, so any ideas using spare PC parts would help.

    Thanks.

    Gordon Montgomery
    Living Scriptures, Inc
    (anti spam - replace lsi with livingscriptures)
    (801) 627-2000
    Gordon Montgomery, Dec 23, 2003
    #5
  6. In article <>,
    Gordon Montgomery <> wrote:
    :I am sure that there is another solution.. I am just not educated enough to
    :implement it.

    :Basically, I have a network that lets just about anything out, but not much
    :in. I am just using plain ACL's even though I have the IPw/FW IOS. I need to
    :block just one user from exiting our network, however he has legitimate needs
    :to access the internal network. I was just using an ACL to block his IP,
    :which worked for over a year, but he has learned to change his own IP.

    1) Write a formal memo announcing that it is not acceptable for users
    to change their IP addresses without authorization from the support
    staff.

    2) Include specific and progressive penalties in the formal memo.

    3) Offer user a choice of written acknowledgement of the policy
    or of quitting.

    4) Monitor.

    5) If user transgresses policy, apply penalty phase of policy.

    6) If you haven't fired user yet (or barred them from using
    all computer equipment), go back to monitoring phase. Repeat
    until user stops changing IP address or user is gone.

    :I suppose I could acquire a small SOHO router and use NAT on the side his
    :machine is connected to, and block the _public_ ip of the router on the border
    :router. Does that make sense and would it work?

    You could also block all IP addresses not known to be authorized
    to go out.

    In my opinion, though, your technology in this case should be
    concentrated on detection, not on prevention. Prevention is
    a social/policy problem.
    --
    Beware of bugs in the above code; I have only proved it correct,
    not tried it. -- Donald Knuth
    Walter Roberson, Dec 24, 2003
    #6
  7. Gordon Montgomery

    Hansang Bae Guest

    In article <>, says...
    > I am sure that there is another solution.. I am just not educated enough to
    > implement it.
    > Basically, I have a network that lets just about anything out, but not much
    > in. I am just using plain ACL's even though I have the IPw/FW IOS. I need to
    > block just one user from exiting our network, however he has legitimate needs
    > to access the internal network. I was just using an ACL to block his IP,
    > which worked for over a year, but he has learned to change his own IP. I
    > suppose I could acquire a small SOHO router and use NAT on the side his
    > machine is connected to, and block the _public_ ip of the router on the border
    > router. Does that make sense and would it work? My other problem is that I
    > have no budget for this, so any ideas using spare PC parts would help.


    You could do one of two things. Explicit block all "unused" IP
    addresses. This would be an easy thing to do.

    Or you can use a spare machine and load it up with unused IPs. When the
    other user fires up his/her PC, it'll throw up a duplicate IP message.

    MAC acl won't work since it's trivial to change the MAC address as well.
    And you really don't want the hassle of using port-based security.

    Finally, warn the user about your A.U.P.


    --

    hsb

    "Somehow I imagined this experience would be more rewarding" Calvin
    *************** USE ROT13 TO SEE MY EMAIL ADDRESS ****************
    ********************************************************************
    Due to the volume of email that I receive, I may not not be able to
    reply to emails sent to my account. Please post a followup instead.
    ********************************************************************
    Hansang Bae, Dec 24, 2003
    #7
  8. Thanks for all the good suggestions. I'll be implementing a few of them soon.


    Gordon Montgomery
    Living Scriptures, Inc
    (anti spam - replace lsi with livingscriptures)
    (801) 627-2000
    Gordon Montgomery, Dec 26, 2003
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. JohnNews
    Replies:
    2
    Views:
    1,802
    Bernie
    Dec 5, 2003
  2. Jim

    Set based vs. IOS based

    Jim, Feb 17, 2004, in forum: Cisco
    Replies:
    2
    Views:
    489
    mikester
    Feb 18, 2004
  3. Shad T
    Replies:
    0
    Views:
    569
    Shad T
    Jun 29, 2004
  4. Vimokh
    Replies:
    3
    Views:
    5,595
    Vimokh
    Sep 6, 2006
  5. Kent

    3750 Port based ACL logging

    Kent, May 15, 2008, in forum: Cisco
    Replies:
    2
    Views:
    2,520
Loading...

Share This Page