Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
900
Views
0
Helpful
5
Replies

Restricting access to network on 871 router via mac-address

wahida
Level 1
Level 1

‎01-19-2010 11:17 PM - edited ‎03-04-2019 07:14 AM

Hi,

I have Atomatic Teller Machine connected through 871 router to the MPLS WAN. I want to restrict the network access on the 871 network so that, only ATM machine is able to use the network based on the MAC Address Security. For all other unauthorized access must be prevented.

Note: I'm using static IP Address on the ATM Machine not dynamic.

Hope, someone must have done the above resrtiction. Please help...........

Labels:
0 Helpful
5 Replies 5

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎01-20-2010 12:39 AM

Hello Walida,

if the ATM machine is the only legitimate client you can:

shut the other FE ports of the 871

create a static ARP entry mapping ATM static IP address to ATM MAC address.

use an ACL to permit only traffic sourced by ATM ip address.

conf t

arp A.B.C.D 0001.2345.678a arpa

access-list 11 permit host A.B.C.D

int vlan 1

ip access-group 11 in

I tried to see if switchport port-security are present in an 877 M, but they are missing so it  looks like the port security cannot be used.

Above suggestions are an approximate solution that should be enough.

the static ARP entry should allow traffic to go only to ATM machine.

An intruder should emulate both the ATM IP address and ATM MAC address to be accepted by  the router

Hope to help

Giuseppe

0 Helpful

wahida
Level 1
Level 1
In response to Giuseppe Larosa

‎01-20-2010 01:52 AM

Thanks for you quick reply and update you.

0 Helpful

wahida
Level 1
Level 1
In response to Giuseppe Larosa

‎01-26-2010 02:22 AM

Hi giuslar,

I have implemented the configuration which you mentioned in your post and it is working.

In oder to test the functionality. I have used a machine keeping the same IP Address and started pinging some entities (servers and printers) on the otherside of the network, for which I got timeouts replies which is expected but when the actual ATM machine is put back, whichever machines and printers I pinged from the test machine are not pingable from ATM machine as well unless you restart everything (I mean router and ATM machine).

Is there any way to flush the blocking on the router?

Note: I have tried clear arp-cache and clear memory but did not help.

Thanks for your valubale feedback.

0 Helpful

Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to wahida

‎01-26-2010 04:35 AM

Hello Wahida,

have you tried the following:

remove the static ARP entry

clear arp-cache

configure again the static ARP entry

Hope to help

Giuseppe

0 Helpful

wahida
Level 1
Level 1
In response to Giuseppe Larosa

‎01-31-2010 01:11 AM

Thanks giuslar for your valuable feedback. I'll try and let you know.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card