Mac-address ACL question

Answered Question
Jan 5th, 2009

I have branch routers that will have a video phone attached.

I want to only allow the mac-address of the phone inbound on the router ethernet interface.

The phone can communicate with unknown devices.

If I wanted to create this access list and allow my mac-address to communicate with "any" mac address, could I do it this way:

access-list 701 permit 123a.456b.789c ffff.ffff.ffff

And apply the acl inbound on the etherent interface?

There is nothing else on the ethernet interface, only this phone.

UPDATE:

The router will not let me apply the layer 2 acl to the router interface.

I have this problem too.
0 votes
Correct Answer by sachinraja about 8 years 2 weeks ago

hey wilson

sorry.. didnt notice it was HWIC-ESW module. I was referring to a normal switch...

For 8 port switch module, the following example shows port security being configured in the MAC address table.

Router(config)# mac-address-table secure 0000.1111.2222 fa0/1/2 vlan 3

Doing this, ONLY the mac address 0000.1111.2222 will be able to access through FA0/1/2

You can have a look at other configurations possible for a switch port module, from the URL below:

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t8/feature/guide/esw_cfg.html#wp1048242

if you need advanced security parameters, you can look at 802.1x, protected ports etc..

Hope this helps.. all the best..

Raj

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (10 ratings)
Loading.
Giuseppe Larosa Mon, 01/05/2009 - 09:50

Hello Richard,

1) what is your platform and IOS

2) no sure the logic of mac based acl is that

R..outer(config)#access-list 701 permit ?

H.H.H 48-bit hardware address

R..outer(config)#access-list 701 permit 0001.bbcc.ddee ?

H.H.H 48-bit hardware address mask

R..outer(config)#access-list 701 permit 0001.bbcc.ddee 0000.0000.0000 ?

the second is a mask and the acl works on source only

this is a C3640 with quite old code c3640-js-mz.122-27.bin

Hope to help

Giuseppe

mikegrous Mon, 01/05/2009 - 10:19

Does this phone have an ip address? Why not just block that?

wilson_1234_2 Mon, 01/05/2009 - 12:45

The idea is that the phone will communicate with potentially all other phones in the network.

I am thinking I can allow this traffic and block all other, but I also wnat to make sure that no one can disconnect the phone, use the phone IP Address and establish communication on the network.

I realieze that someone could steal the mac-address as well, but wanted to filter the layer 2 address also.

This is an 1861 router.

What would be the syntax to apply the access-list 701 to the interface?

Edison Ortiz Mon, 01/05/2009 - 13:11

What would be the syntax to apply the access-list 701 to the interface?

interface fx/x

ip access-group 701 [in|out]

HTH,

__

Edison.

mikegrous Mon, 01/05/2009 - 15:04

The problem is this:

R4(config-if)#ip access-group 700 in

% Invalid access list name.

Even thought there is an ACL 700

My test was on:

Cisco IOS Software, 3800 Software (C3825-ADVENTERPRISEK9-M), Version 12.4(6)T, R

ELEASE SOFTWARE (fc1)

Jon Marshall Mon, 01/05/2009 - 15:21

Mike

I agree. I think, although happy to admit i could be wrong, that acl range 700-799 are meant to be applied to a bridged interface and not a normal L3 routed interface.

Richard if you can use the IP address as Mike suggested this may be the way to go.

Jon

mikegrous Mon, 01/05/2009 - 16:50

Jon,

I believe you are correct. 700 is for bridging. I did a test, even if you configre bridging to also do routing (hope im explaining that correct) it will still not allow you to put ACL 700 on int BVI1.

R5(config-if)#int bvi1

R5(config-if)#ip access-group 704 in

% Invalid access list name.

R5(config-if)#bridge-group 1 input-address-list 702

BVI1 does not support bridging

This is with the following configured:

Int BVI1

ip add 10.1.1.1 255.255.255.0

interface FastEthernet1/0

no ip address

bridge-group 1

Bridge irb

bridge 1 protocol ieee

bridge 1 route ip

10.1.1.1 is pingable from the LAN but acl 700 wont apply.

wilson_1234_2 Tue, 01/06/2009 - 08:18

I am running 12.4(22)T on the 1861 routers and I have found also you cannot apply the ACL 700 series to the interface.

The IP Address of the phone I can block, but someone could still remove the phone (some of them are in outside locations) and use that IP address to get to call manager or anthything else the phone can get to.

If I can lock down the mac address of the phone, it will at least be harder to do that.

What about port security on the 8 port switch integrated into the 1861?

According to the documentation, it is supported, but I have been unable to find any documentation on configuring it. It is unlike a normal catalyst switch.

Jon Marshall Tue, 01/06/2009 - 08:21

Richard

What is the part/module number for the 8 port switch ?

Port security would work if supported.

Jon

sachinraja Tue, 01/06/2009 - 10:18

Hello wilson

you can configure port security on a 8 port switch.. you can use the following command to enable mac address based security on the switch:

switchport port-security mac-address mac-address [vlan vlan-id]

eg

switchport port-security mac-address 0000.02000.0004 vlan 3

Doing this, it will allow only the mac address specified in the port to access the port.. This becomes really tough though, but for smaller installations its fine.. looking at a larget picture, you must think of something like 802.1x with mac address authentication bypass..

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.1_19_ea1/configuration/guide/swtrafc.html#wp1038501

refer to the following URL for port security..

Hope this helps.. all the best..

RAj

wilson_1234_2 Tue, 01/06/2009 - 12:13

This does not work.

This is the 8 port switch integrated into the 1861 router.

The only options I have are:

ATM(config-if)#switchport ?

access Set access mode characteristics of the interface

mode Set trunking mode of the interface

priority Set 802.1p priorities

protected Configure an interface to be a protected port

trunk Set trunking characteristics of the interface

voice Voice appliance attributes

Correct Answer
sachinraja Tue, 01/06/2009 - 12:45

hey wilson

sorry.. didnt notice it was HWIC-ESW module. I was referring to a normal switch...

For 8 port switch module, the following example shows port security being configured in the MAC address table.

Router(config)# mac-address-table secure 0000.1111.2222 fa0/1/2 vlan 3

Doing this, ONLY the mac address 0000.1111.2222 will be able to access through FA0/1/2

You can have a look at other configurations possible for a switch port module, from the URL below:

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t8/feature/guide/esw_cfg.html#wp1048242

if you need advanced security parameters, you can look at 802.1x, protected ports etc..

Hope this helps.. all the best..

Raj

Actions

This Discussion