Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5633
Views
10
Helpful
8
Replies

Access-list 700

Go to solution
claude1968
Level 1
Level 1

‎05-01-2007 03:59 AM - edited ‎02-20-2020 09:39 PM

Hello,

I define an access-list 700 like this:

access-list 700 permit 000e.3543.2c81

to authorize only one computer to a port.

conf t

int Fa0/1

bridge-group 1 input-address-list 700

I want to apply that to a port Fa0/1 so I can not find the good way because the port never become on err-disabled if I connect another computer.

I don't know why?

Thank you for your help...

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
med_ddevlin
Level 1
Level 1
In response to claude1968

‎05-01-2007 10:02 AM

Can you supply the access-List commands you used?

The commands should be as follows:

mac access-list extended MAC_Allowed

permit host (MAC Address / 48-bit) any

for example:

permit host 0050.56c0.0001 any

permit host 0019.b960.bbca any

int f0/1

mac access-group MAC_Allowed in

Please Rate if this helps.

View solution in original post

0 Helpful
8 Replies 8

Go to solution
jbeltrame
Level 1
Level 1

‎05-01-2007 05:08 AM

Why dont you use port-security, and have the port go down when another mac is seen. Might be the easier way to go.

0 Helpful

Go to solution
claude1968
Level 1
Level 1
In response to jbeltrame

‎05-01-2007 05:13 AM

I have 3 ou 4 mac-addresse to permit and deny all others. So, port-security must have one mac-address...

Go to solution
med_ddevlin
Level 1
Level 1
In response to claude1968

‎05-01-2007 08:04 AM

I have to agree with Jason though...why not implement port-security on the specified port which in this case f0/1.

Commands:

switchport mode access

switchport port-security

switchport port-security maximum 4

The default action is to shutdown the interface. You can change this if you type "switchport port-security violation (option)" Options being "protect", "restrict" or "shutdown". Restrict is a nice option if you do not want to shut the interface down but still block unknown addresses. I think this is what you were looking for.

What this will do is learn up to 4 (in my example) then shut the interface down if anything is outside of that list (unless you change the option). For this to effectively work, you would have to configure this on your switchport then plug in each machine (or device) to have the switch learn the MAC addresses.

Please rate if it helps.

0 Helpful

Go to solution
claude1968
Level 1
Level 1
In response to med_ddevlin

‎05-01-2007 09:15 AM

Yes it's help me. But I must have the 4 computers with me. I will be easier for me if I can put the mac-address in config.

And, I still don't know how to apply an access-list 700 on a port. I found nothing in the Internet and I use the syntax command propose by CISCO but it's dosen't work.

Switch(config-if)#mac access-group 700 in

% Invalid access list name.

Switch(config-if)#

Nobody seems to understand it.

Go to solution
med_ddevlin
Level 1
Level 1
In response to claude1968

‎05-01-2007 10:02 AM

Can you supply the access-List commands you used?

The commands should be as follows:

mac access-list extended MAC_Allowed

permit host (MAC Address / 48-bit) any

for example:

permit host 0050.56c0.0001 any

permit host 0019.b960.bbca any

int f0/1

mac access-group MAC_Allowed in

Please Rate if this helps.

0 Helpful

Go to solution
claude1968
Level 1
Level 1
In response to med_ddevlin

‎05-01-2007 10:23 AM

Thank you very much. It's working.

0 Helpful

Go to solution
CiscoPurpleBelt
Level 6
Level 6
In response to jbeltrame

‎12-08-2021 08:03 AM

I have same issue. My ISR4300does not support port-security on switch module. I see access-list 700+ as only option. Need to make it work on interface.

0 Helpful

Go to solution
Geoff629
Level 1
Level 1

‎10-15-2019 07:24 PM

It doesn't seem that my router will support extended access lists past 199, which is why I wound up with that same error. 

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents