cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1534
Views
0
Helpful
7
Replies

NAT with Mac Filtering

vannacisco
Level 1
Level 1

Hi All !

Been trying to block the Devices by MAC addresses wise.

My idea is to create "access-list 700 permit XXXX.XXXX.XXXX".

I'd like to add the access-lis in "ip nat inside source 700 pool natpool overload"

will it allow specifying the devices with specific MAC addresses.

Plz. give me some solutions,controlling devices MAC address wise.

thanx.

Vanna

1 Accepted Solution

Accepted Solutions

Hello Vanna,

to apply the MAC ACL try

int f0/0

bridge-group 1 input-address-list 702

Hope to help

Giuseppe

View solution in original post

7 Replies 7

Giuseppe Larosa
Hall of Fame
Hall of Fame

hello Vanna,

I think you should use a different approach:

NAT is a layer3 and above feature and shouldn't accept a layer2 ACL as a parameter to decide what needs to be translated.

You should use DAI, IP source guard, DHCP snooping on the LAN switch to distinguish legitimate users from not legitimate users/devices.

Or you could use 802.1X on the lan switch

see

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_44_se/configuration/guide/sw8021x.html

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_44_se/configuration/guide/swdynarp.html

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_44_se/configuration/guide/swdhcp82.html

Hope to help

Giuseppe

Thanx!

Whther i can do the "Bridge Group" feature in router to do MAC filtering.?

Do u conclude that Without the use of Switch, We can not do any MAC filtering.

Vanna

Hello Vanna,

for implementing MAC address based filtering on a router you need

to use an interface that is not enabled for IP routing.

The interface can be member of a bridge-group.

To provide L3 services you need to use IRB (integrated routing and bridging).

In this case interface BVix x= bridge-group number is the L3 object providing routing services and where you apply the ip nat inside command

the physical interface f0/0

bridge 1 protocol iee

bridge 1 route ip

int f0/0

no ip addr

bridge-group 1

! here you apply the MAC ACL 700-799 range

int BVI1

ip address 10.10.10.1 255.255.255.0

ip nat inside

no shut

There was a recent thread about usage of MAC ACL on routers.

In this way using a single router you could achieve the desired result.

Hope to help

Giuseppe

I have been trying to create IRB quite, but failed.

I tried to apply mac access-list to int f0/0 aftr creating bridge-group 1.

N created access list also.

But no clue how to apply the list on the interface.when i "ip access-group?" , it shows only the following.

<1-199> IP access list (standard or extended)

<1300-2699> IP expanded access list (standard or extended)

WORD Access-list name

Plz. what command to use to apply accesslist On fa0/0.

thanx

regds.

Vanna

Hello Vanna,

to apply the MAC ACL try

int f0/0

bridge-group 1 input-address-list 702

Hope to help

Giuseppe

Hi !

Than U so much !

I have managed to apply Mac filtering!

Now i need to test the NAT part! i hope it should work.

i have a problem in edting Accesslist 700.

When i issue Sh Access-list or Sh run , access list 700 is not shown. I need to edit the access-list too.

thanx

Hello Vanna,

thanks for your kind remarks !

you should be able to see the ACL with:

sh access-list

and also in sh run

try to define a new ACL 701 and then see if you can see it in sh run and sh access-list

The ACL can have more statements so you should be able to add lines as you like

notice that the parameters are source MAC address and the second is a wildcard mask:

0000.0000.0000 to match a single MAC address (like the host option in IP ACLs)

Hope to help

Giuseppe

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: