I have a router 2811 that it's configured with VPN remote access and I'm trying to block clients based on their MAC address, I tried configuring
access interface as routing/bridging, configured an ACL 750 for 48-bit MAC address access list and enable "bridge-group 1 input-address-list 750" command on bridged interface, but the only match I got when VPN clients access the LAN is from router interface.
Internet(VPN) ---> Router1 (FE 0/1) ---> Router1 (FE 0/0) --> Router2 (FE 0/0) --> Router2 (FE 0/1) --> LAN
I tried configuring on Router1 (FE 0/0) interface and also on Router2 (FE 0/0) interface with same behaviour. Router2 is used for internal NAT.
bridge 1 protocol ieee
bridge 1 route ip
access-list 750 permit d067.e547.83ea <-- My PC MAC Address
access-list 750 permit 001d.a2d0.4810 <-- Interface router MAC Address (All matches here)
access-list 750 deny 0000.0000.0000 ffff.ffff.ffff
no ip address
bridge-group 1 spanning-disabled
bridge-group 1 input-address-list 750
ip address 192.168.137.1 255.255.255.252
ip nat inside
Any ideas that could help to get a solution for this, it will be great.
Hello Juan Carlos,
MAC addresses are easily spoofed. Basing the security policy on MAC addresses is not a good idea in my opinion, as it does not provide any real increase in security.
I think that a possible way would be to use certificates issued for either users or PCs. However, I am not experienced enough with that. You should probably ask this question in the Security/VPN section - it is my sincere hope that the experts in that section will be able to help you better.