i want to realize the following setup:
- Central Site 871 with Internet Connection and static IP
- Home office 871 with Internet Connection and static IP. On that home office router, there should be 2 Vlans: 1 for the office work and one for the user's private PC. All Traffic from the "office" Vlan is being put into a VPN to the central site. All Traffic on the other interface is being natted and goes straight to the internet.
To minimize security issues, i tried to configure port-security, so that the user cannot connect with his private PC to the office LAN ports and vice versa. Unfortunately, port-security seems not to be supported on the 871 (advanced ip services image).
Now i looked for an alternative...and came over to FPM (flexible packet matching).
If i understood right, you can classify packets for example by their source MAC address and if this field matches a specific value (the mac of the work pc), packets can be dropped by a policy.
Of course i cannot avoid that the user connects the work pc together with his private pc (this is then related to the OS Security to keep out viruses, worms, trojans, etc). But i could/want to restrict the internet access with the work pc through "normal" Internet access - the users should not be able to do that (must use the company's proxy).
I did the follwing config:
class-map type access-control match-any c2
match start l2-start offset 48 size 6 regex "0xabcd1234fedc"
match field ETHER source-mac regex "abcd1234fedc"
policy-map type access-control p2
ip address 192.168.20.1 255.255.255.0
ip nat inside
service-policy type access-control input p2
service-policy type access-control output p2
As this feature is quite new, i'm not familiar with it's syntax.
I also tried to use "string" instead of regexp, but i'm still able to connect the office pc to the private Lan and i am able to access the "Internet" (currently it's only setup in a lab).
As i understood so far, the offset is the value in bits, and size is in bytes. is that correct?
Has anyone yet some experience with FPM or maybe any hint for me how to realize the requested setup with the 871 routers?