01-19-2010 11:17 PM - edited 03-04-2019 07:14 AM
Hi,
I have Atomatic Teller Machine connected through 871 router to the MPLS WAN. I want to restrict the network access on the 871 network so that, only ATM machine is able to use the network based on the MAC Address Security. For all other unauthorized access must be prevented.
Note: I'm using static IP Address on the ATM Machine not dynamic.
Hope, someone must have done the above resrtiction. Please help...........
01-20-2010 12:39 AM
Hello Walida,
if the ATM machine is the only legitimate client you can:
shut the other FE ports of the 871
create a static ARP entry mapping ATM static IP address to ATM MAC address.
use an ACL to permit only traffic sourced by ATM ip address.
conf t
arp A.B.C.D 0001.2345.678a arpa
access-list 11 permit host A.B.C.D
int vlan 1
ip access-group 11 in
I tried to see if switchport port-security are present in an 877 M, but they are missing so it looks like the port security cannot be used.
Above suggestions are an approximate solution that should be enough.
the static ARP entry should allow traffic to go only to ATM machine.
An intruder should emulate both the ATM IP address and ATM MAC address to be accepted by the router
Hope to help
Giuseppe
01-20-2010 01:52 AM
Thanks for you quick reply and update you.
01-26-2010 02:22 AM
Hi giuslar,
I have implemented the configuration which you mentioned in your post and it is working.
In oder to test the functionality. I have used a machine keeping the same IP Address and started pinging some entities (servers and printers) on the otherside of the network, for which I got timeouts replies which is expected but when the actual ATM machine is put back, whichever machines and printers I pinged from the test machine are not pingable from ATM machine as well unless you restart everything (I mean router and ATM machine).
Is there any way to flush the blocking on the router?
Note: I have tried clear arp-cache and clear memory but did not help.
Thanks for your valubale feedback.
01-26-2010 04:35 AM
Hello Wahida,
have you tried the following:
remove the static ARP entry
clear arp-cache
configure again the static ARP entry
Hope to help
Giuseppe
01-31-2010 01:11 AM
Thanks giuslar for your valuable feedback. I'll try and let you know.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide