NAT with Mac Filtering

Answered Question
Jan 7th, 2009
User Badges:

Hi All !

Been trying to block the Devices by MAC addresses wise.

My idea is to create "access-list 700 permit XXXX.XXXX.XXXX".

I'd like to add the access-lis in "ip nat inside source 700 pool natpool overload"


will it allow specifying the devices with specific MAC addresses.


Plz. give me some solutions,controlling devices MAC address wise.

thanx.

Vanna


Correct Answer by Giuseppe Larosa about 8 years 6 months ago

Hello Vanna,

to apply the MAC ACL try


int f0/0


bridge-group 1 input-address-list 702



Hope to help

Giuseppe


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Giuseppe Larosa Thu, 01/08/2009 - 01:38
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

hello Vanna,

I think you should use a different approach:

NAT is a layer3 and above feature and shouldn't accept a layer2 ACL as a parameter to decide what needs to be translated.


You should use DAI, IP source guard, DHCP snooping on the LAN switch to distinguish legitimate users from not legitimate users/devices.

Or you could use 802.1X on the lan switch


see


http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_44_se/configuration/guide/sw8021x.html


http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_44_se/configuration/guide/swdynarp.html


http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_44_se/configuration/guide/swdhcp82.html


Hope to help

Giuseppe



vannacisco Fri, 01/09/2009 - 21:06
User Badges:

Thanx!


Whther i can do the "Bridge Group" feature in router to do MAC filtering.?


Do u conclude that Without the use of Switch, We can not do any MAC filtering.


Vanna

Giuseppe Larosa Sat, 01/10/2009 - 02:51
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Vanna,

for implementing MAC address based filtering on a router you need

to use an interface that is not enabled for IP routing.

The interface can be member of a bridge-group.

To provide L3 services you need to use IRB (integrated routing and bridging).

In this case interface BVix x= bridge-group number is the L3 object providing routing services and where you apply the ip nat inside command

the physical interface f0/0


bridge 1 protocol iee

bridge 1 route ip


int f0/0

no ip addr

bridge-group 1

! here you apply the MAC ACL 700-799 range



int BVI1

ip address 10.10.10.1 255.255.255.0

ip nat inside

no shut


There was a recent thread about usage of MAC ACL on routers.


In this way using a single router you could achieve the desired result.


Hope to help

Giuseppe


vannacisco Sat, 01/10/2009 - 04:40
User Badges:

I have been trying to create IRB quite, but failed.

I tried to apply mac access-list to int f0/0 aftr creating bridge-group 1.


N created access list also.


But no clue how to apply the list on the interface.when i "ip access-group?" , it shows only the following.

<1-199> IP access list (standard or extended)

<1300-2699> IP expanded access list (standard or extended)

WORD Access-list name


Plz. what command to use to apply accesslist On fa0/0.


thanx

regds.


Vanna

Correct Answer
Giuseppe Larosa Sat, 01/10/2009 - 08:52
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Vanna,

to apply the MAC ACL try


int f0/0


bridge-group 1 input-address-list 702



Hope to help

Giuseppe


vannacisco Sat, 01/10/2009 - 22:59
User Badges:

Hi !


Than U so much !


I have managed to apply Mac filtering!

Now i need to test the NAT part! i hope it should work.

i have a problem in edting Accesslist 700.


When i issue Sh Access-list or Sh run , access list 700 is not shown. I need to edit the access-list too.


thanx

Giuseppe Larosa Sun, 01/11/2009 - 11:45
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Vanna,

thanks for your kind remarks !


you should be able to see the ACL with:


sh access-list


and also in sh run


try to define a new ACL 701 and then see if you can see it in sh run and sh access-list


The ACL can have more statements so you should be able to add lines as you like


notice that the parameters are source MAC address and the second is a wildcard mask:

0000.0000.0000 to match a single MAC address (like the host option in IP ACLs)


Hope to help

Giuseppe


Actions

This Discussion