×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

block mac based system to access internet

Unanswered Question
Aug 23rd, 2012
User Badges:

I have a netwokr in which users are getting ip address from DHCP server that is window server.

i want to block some users to access interent by using their device mac address.


i have these devices in my network...


2921 cisco cme router

cisco 2960 switches

cisco 892 cisco internet router

internet ADSL that cnnected with cisco 892...


wireless AP 1142...



i have no firewall or any asa...



please tell how can i block some users for accessing internet but they can access internal network...


for file sharing and prinitng,...

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Karsten Iwen Thu, 08/23/2012 - 03:31
User Badges:
  • Purple, 4500 points or more
  • Cisco Designated VIP,

    2017 Firewalling, VPN

That's not that easy to achieve ...


If there are not that many devices that need this special treatment, then I would go the following way:


1) On your DHCP-server configure a reservation for these devices so that they get an IP from a reserved IP-range (allign the range on subnet-boundaries).

2) On your Internet-Router, configure an ACL that denies the traffic from this range to the internet or even completely (as desired).


This will only work if your users are not so savvy to change their MAC-addresses to something that is not in your reserved DHCP-Pool.



The technically better way could be to deploy port-based authentication (802.1x) based on MAC-addresses. But that is more complex then the DHCP-solution.



-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Amit Sharma Fri, 08/24/2012 - 23:06
User Badges:

how cna i reserve my mac with specified ip address of dhcp pool...and how then block that reserve address for accessing internet?

Karsten Iwen Thu, 08/23/2012 - 03:53
User Badges:
  • Purple, 4500 points or more
  • Cisco Designated VIP,

    2017 Firewalling, VPN

I don't think that the 2960 supports VACLs ...



-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Peter Paluch Thu, 08/23/2012 - 06:15
User Badges:
  • Cisco Employee,

Hello Alessio,


You have quite an overview! Yes, indeed - the 2960 Catalysts appear to unofficially support VACLs with the most recent IOS versions. I haven't had any more word from Cisco on that but I guess that once they got it running, they're probably not going to throw this functionality away.


Blocking IP traffic based on MAC addresses is generally difficult on recent Catalyst switches. This is because a MAC ACL applies only to non-IP traffic. In other words, you can not use MAC ACL to filter frames that carry IP packets. This is valid for 2960, 3560 and higher switches. Older switches behaved differently, e.g. the 2950 switch was capable of filtering even IP traffic by a MAC ACL. However, because Sharma has a 2960 switch, the MAC ACLs or VACLs are not an option for him to filter IP traffic based on MAC ACLs.


Remember that if you will filter these guys in order to access the internet, possibly the ACL direction should be out:


ip access-group acl_number out


Ummm, this would not work, sadly, because of two reasons:


  • You cannot refer to a MAC ACL using the ip access-group command. You need to use the mac access-group instead.
  • Low-end Catalysts like 2960 support only the in direction for port ACLs. The out direction is not available


I do not think that the router supports MAC ACLs at all.


In my personal opinion, the correct solution should be:


  • Assign all IP addresses from the DHCP server based on clients' MAC addresses (a static binding on the DHCP server making sure that a single MAC address always gets the same IP address)
  • On the 2960, use the DHCP Snooping, Dynamic ARP Inspection and IP Source Guard to prevent stations from stealing and/or spoofing their IPs or MAC addresses.
  • Perform further filtering based on IP addresses, as the steps above will ensure a 1:1 IP:MAC mapping.


Would this be an acceptable solution for you, Sharma?


Best regards,

Peter

Amit Sharma Fri, 08/24/2012 - 23:05
User Badges:

Dear frds...


is it any other way that can use for block these mac address based users to access internet....?

Karsten Iwen Sun, 08/26/2012 - 03:49
User Badges:
  • Purple, 4500 points or more
  • Cisco Designated VIP,

    2017 Firewalling, VPN

You want more possibilities? 


1) What about forcing the users to access the internet through a proxy and authenticate them there? That will help if you want to restrict certain users from accessing the internet and not only users of particular PCs.


2) If you have a flat network, you could remove the default-gateway from the machines that shouldn't go to the internet.


Both solutions can only work if your users don't have admin-rights on their PCs.



-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Amit Sharma Sun, 08/26/2012 - 22:24
User Badges:

Dear Guys...


I don't have prosy in my network.....

So if i remove the gateway from my end user pc it will able to access to other system and internal resurces within the network?


if not then how can i go for this issue?


if i assigned ip from DHCP and exclude ffrom DHCP those address...after that apply ACL for block those address to go internet...

would be this work and where to apply and define ACL?

Karsten Iwen Sun, 08/26/2012 - 23:08
User Badges:
  • Purple, 4500 points or more
  • Cisco Designated VIP,

    2017 Firewalling, VPN

So if i remove the gateway from my end user pc it will able to access to other system and internal resurces within the network?


Only the ressources in their own subnet. In your config there are two static routes to networks 172.16.0.0 and 172.16.110.0. For theses Networks the PCs would also need static routes.



if i assigned ip from DHCP and exclude ffrom DHCP those address...after that apply ACL for block those address to go internet...

would be this work and where to apply and define ACL?


Lets assume your restricted users all get IPs in the Range 172.16.100.225-172.16.100.254. Then your router-config needs this addition:


object-group network RFC1918

  10.0.0.0 255.0.0.0

  172.16.0.0 255.240.0.0

  192.168.0.0 255.255.0.0


ip access-list extended INTERNAL-IN

  permit ip any object-group RFC1918

  deny ip 172.16.100.224 0.0.0.31 any

  permit ip any any


interface Vlan100

  ip access-group INTERNAL-IN in


With this config all traffic entering your router on the inside interface is filtered by the ACL INTERNAL-IN. If you later add another internal subnet or VPN to your router, these will probably use IPs from the RFC1918-range, so that traffic is allowed. Then the restricted PCs are not allowed to go anywhere. The rest is again allowed.



-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Amit Sharma Sun, 08/26/2012 - 23:37
User Badges:

Dear Sir,


I have aroudn 10-20 users in rnage of 172.16.100.0/24 subnet...


i don't want to block all users...but limited users...as


172.16.100.50

51

55

80

90

110

134

155

188



like these ip address need to block for internet but not to block internal netwokr access with other devices as printer file server and other systems...


how can do for this solution?

Karsten Iwen Sun, 08/26/2012 - 23:50
User Badges:
  • Purple, 4500 points or more
  • Cisco Designated VIP,

    2017 Firewalling, VPN

You have to give these users a reserved IP in the given range. Or in any range you want. Then you have to adjust the ACL.



-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Amit Sharma Sun, 08/26/2012 - 23:58
User Badges:

ok sir!


but if i gave them the ip address in same range as..


172.16.100.50-70/24



then can i apply ACL as you mentioned above message?


thanks

Karsten Iwen Mon, 08/27/2012 - 00:11
User Badges:
  • Purple, 4500 points or more
  • Cisco Designated VIP,

    2017 Firewalling, VPN

Then your ACL has to be written in a different way which is less flexible if you later add other networking-devices to your network:


object-group network RFC1918

  10.0.0.0 255.0.0.0

  172.16.0.0 255.240.0.0

  192.168.0.0 255.255.0.0

object-group network NO-INTERNET

  range 172.16.100.50 172.16.100.70


ip access-list extended INTERNAL-IN

  permit ip any object-group RFC1918

  deny ip object-group NO-INTERNET any

  permit ip any any


interface Vlan100

  ip access-group INTERNAL-IN in


It's better to have the reserved addresses on a subnet-boundary (.32-.63 or 64-91 or something like that.)




-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Amit Sharma Mon, 08/27/2012 - 00:15
User Badges:

yes sir!


I am agree with your points but this netwokr is small and limited to users...so i think i can go with this message solution..

let me try and if works...then update you back...


but i have different ip of same subnet as mentioend:

172.16.100.50/24

172.16.100.59/24

172.16.100.78/24

172.16.100.88/24



then how can i apply ACL on my 892 router?

Actions

This Discussion

Related Content