01-05-2009 08:52 AM - edited 03-06-2019 03:15 AM
I have branch routers that will have a video phone attached.
I want to only allow the mac-address of the phone inbound on the router ethernet interface.
The phone can communicate with unknown devices.
If I wanted to create this access list and allow my mac-address to communicate with "any" mac address, could I do it this way:
access-list 701 permit 123a.456b.789c ffff.ffff.ffff
And apply the acl inbound on the etherent interface?
There is nothing else on the ethernet interface, only this phone.
UPDATE:
The router will not let me apply the layer 2 acl to the router interface.
Solved! Go to Solution.
01-06-2009 12:45 PM
hey wilson
sorry.. didnt notice it was HWIC-ESW module. I was referring to a normal switch...
For 8 port switch module, the following example shows port security being configured in the MAC address table.
Router(config)# mac-address-table secure 0000.1111.2222 fa0/1/2 vlan 3
Doing this, ONLY the mac address 0000.1111.2222 will be able to access through FA0/1/2
You can have a look at other configurations possible for a switch port module, from the URL below:
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t8/feature/guide/esw_cfg.html#wp1048242
if you need advanced security parameters, you can look at 802.1x, protected ports etc..
Hope this helps.. all the best..
Raj
01-05-2009 09:50 AM
Hello Richard,
1) what is your platform and IOS
2) no sure the logic of mac based acl is that
R..outer(config)#access-list 701 permit ?
H.H.H 48-bit hardware address
R..outer(config)#access-list 701 permit 0001.bbcc.ddee ?
H.H.H 48-bit hardware address mask
R..outer(config)#access-list 701 permit 0001.bbcc.ddee 0000.0000.0000 ?
the second is a mask and the acl works on source only
this is a C3640 with quite old code c3640-js-mz.122-27.bin
Hope to help
Giuseppe
01-05-2009 10:19 AM
Does this phone have an ip address? Why not just block that?
01-05-2009 12:45 PM
The idea is that the phone will communicate with potentially all other phones in the network.
I am thinking I can allow this traffic and block all other, but I also wnat to make sure that no one can disconnect the phone, use the phone IP Address and establish communication on the network.
I realieze that someone could steal the mac-address as well, but wanted to filter the layer 2 address also.
This is an 1861 router.
What would be the syntax to apply the access-list 701 to the interface?
01-05-2009 12:47 PM
Ricahrd
Which IOS are you running on this router ?
Jon
01-05-2009 01:11 PM
What would be the syntax to apply the access-list 701 to the interface?
interface fx/x
ip access-group 701 [in|out]
HTH,
__
Edison.
01-05-2009 03:04 PM
The problem is this:
R4(config-if)#ip access-group 700 in
% Invalid access list name.
Even thought there is an ACL 700
My test was on:
Cisco IOS Software, 3800 Software (C3825-ADVENTERPRISEK9-M), Version 12.4(6)T, R
ELEASE SOFTWARE (fc1)
01-05-2009 03:21 PM
Mike
I agree. I think, although happy to admit i could be wrong, that acl range 700-799 are meant to be applied to a bridged interface and not a normal L3 routed interface.
Richard if you can use the IP address as Mike suggested this may be the way to go.
Jon
01-05-2009 04:50 PM
Jon,
I believe you are correct. 700 is for bridging. I did a test, even if you configre bridging to also do routing (hope im explaining that correct) it will still not allow you to put ACL 700 on int BVI1.
R5(config-if)#int bvi1
R5(config-if)#ip access-group 704 in
% Invalid access list name.
R5(config-if)#bridge-group 1 input-address-list 702
BVI1 does not support bridging
This is with the following configured:
Int BVI1
ip add 10.1.1.1 255.255.255.0
interface FastEthernet1/0
no ip address
bridge-group 1
Bridge irb
bridge 1 protocol ieee
bridge 1 route ip
10.1.1.1 is pingable from the LAN but acl 700 wont apply.
01-06-2009 08:18 AM
I am running 12.4(22)T on the 1861 routers and I have found also you cannot apply the ACL 700 series to the interface.
The IP Address of the phone I can block, but someone could still remove the phone (some of them are in outside locations) and use that IP address to get to call manager or anthything else the phone can get to.
If I can lock down the mac address of the phone, it will at least be harder to do that.
What about port security on the 8 port switch integrated into the 1861?
According to the documentation, it is supported, but I have been unable to find any documentation on configuring it. It is unlike a normal catalyst switch.
01-06-2009 08:21 AM
Richard
What is the part/module number for the 8 port switch ?
Port security would work if supported.
Jon
01-06-2009 08:36 AM
I do not see a partneumber for the switch itself, but from the docs:
Cisco 1861 Integrated Services Router
Table 1. Platform Features and Benefits
Ethernet Connectivity with QoS
⢠Port security is provided to limit unauthorized access to the network.
01-06-2009 10:18 AM
Hello wilson
you can configure port security on a 8 port switch.. you can use the following command to enable mac address based security on the switch:
switchport port-security mac-address mac-address [vlan vlan-id]
eg
switchport port-security mac-address 0000.02000.0004 vlan 3
Doing this, it will allow only the mac address specified in the port to access the port.. This becomes really tough though, but for smaller installations its fine.. looking at a larget picture, you must think of something like 802.1x with mac address authentication bypass..
refer to the following URL for port security..
Hope this helps.. all the best..
RAj
01-06-2009 12:13 PM
This does not work.
This is the 8 port switch integrated into the 1861 router.
The only options I have are:
ATM(config-if)#switchport ?
access Set access mode characteristics of the interface
mode Set trunking mode of the interface
priority Set 802.1p priorities
protected Configure an interface to be a protected port
trunk Set trunking characteristics of the interface
voice Voice appliance attributes
01-06-2009 12:45 PM
hey wilson
sorry.. didnt notice it was HWIC-ESW module. I was referring to a normal switch...
For 8 port switch module, the following example shows port security being configured in the MAC address table.
Router(config)# mac-address-table secure 0000.1111.2222 fa0/1/2 vlan 3
Doing this, ONLY the mac address 0000.1111.2222 will be able to access through FA0/1/2
You can have a look at other configurations possible for a switch port module, from the URL below:
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t8/feature/guide/esw_cfg.html#wp1048242
if you need advanced security parameters, you can look at 802.1x, protected ports etc..
Hope this helps.. all the best..
Raj
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: