The idea is that the phone will communicate with potentially all other phones in the network.

I am thinking I can allow this traffic and block all other, but I also wnat to make sure that no one can disconnect the phone, use the phone IP Address and establish communication on the network.

I realieze that someone could steal the mac-address as well, but wanted to filter the layer 2 address also.

This is an 1861 router.

What would be the syntax to apply the access-list 701 to the interface?

Ricahrd

Which IOS are you running on this router ?

Jon

What would be the syntax to apply the access-list 701 to the interface?

interface fx/x

ip access-group 701 [in|out]

HTH,

__

Edison.

The problem is this:

R4(config-if)#ip access-group 700 in

% Invalid access list name.

Even thought there is an ACL 700

My test was on:

Cisco IOS Software, 3800 Software (C3825-ADVENTERPRISEK9-M), Version 12.4(6)T, R

ELEASE SOFTWARE (fc1)

Mike

I agree. I think, although happy to admit i could be wrong, that acl range 700-799 are meant to be applied to a bridged interface and not a normal L3 routed interface.

Richard if you can use the IP address as Mike suggested this may be the way to go.

Jon

Jon,

I believe you are correct. 700 is for bridging. I did a test, even if you configre bridging to also do routing (hope im explaining that correct) it will still not allow you to put ACL 700 on int BVI1.

R5(config-if)#int bvi1

R5(config-if)#ip access-group 704 in

% Invalid access list name.

R5(config-if)#bridge-group 1 input-address-list 702

BVI1 does not support bridging

This is with the following configured:

Int BVI1

ip add 10.1.1.1 255.255.255.0

interface FastEthernet1/0

no ip address

bridge-group 1

Bridge irb

bridge 1 protocol ieee

bridge 1 route ip

10.1.1.1 is pingable from the LAN but acl 700 wont apply.

I am running 12.4(22)T on the 1861 routers and I have found also you cannot apply the ACL 700 series to the interface.

The IP Address of the phone I can block, but someone could still remove the phone (some of them are in outside locations) and use that IP address to get to call manager or anthything else the phone can get to.

If I can lock down the mac address of the phone, it will at least be harder to do that.

What about port security on the 8 port switch integrated into the 1861?

According to the documentation, it is supported, but I have been unable to find any documentation on configuring it. It is unlike a normal catalyst switch.

Richard

What is the part/module number for the 8 port switch ?

Port security would work if supported.

Jon

I do not see a partneumber for the switch itself, but from the docs:

http://www.cisco.com/en/US/prod/collateral/routers/ps5853/ps8321/product_data_sheet0900aecd806c4dce.html

Cisco 1861 Integrated Services Router

Table 1. Platform Features and Benefits

Ethernet Connectivity with QoS

• Port security is provided to limit unauthorized access to the network.

Hello wilson

you can configure port security on a 8 port switch.. you can use the following command to enable mac address based security on the switch:

switchport port-security mac-address mac-address [vlan vlan-id]

eg

switchport port-security mac-address 0000.02000.0004 vlan 3

Doing this, it will allow only the mac address specified in the port to access the port.. This becomes really tough though, but for smaller installations its fine.. looking at a larget picture, you must think of something like 802.1x with mac address authentication bypass..

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.1_19_ea1/configuration/guide/swtrafc.html#wp1038501

refer to the following URL for port security..

Hope this helps.. all the best..

RAj

This does not work.

This is the 8 port switch integrated into the 1861 router.

The only options I have are:

ATM(config-if)#switchport ?

access Set access mode characteristics of the interface

mode Set trunking mode of the interface

priority Set 802.1p priorities

protected Configure an interface to be a protected port

trunk Set trunking characteristics of the interface

voice Voice appliance attributes