×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Filter MAC list on Router with VPN Remote Access

Answered Question
Sep 4th, 2012
User Badges:

I have a router 2811 that it's configured with VPN remote access and I'm trying to block clients based on their MAC address, I tried configuring

access interface as routing/bridging, configured an ACL 750 for 48-bit MAC address access list and enable "bridge-group 1 input-address-list 750" command on bridged interface, but the only match I got when VPN clients access the LAN is from router interface.


Internet(VPN)  --->  Router1 (FE 0/1)  --->  Router1 (FE 0/0)  -->  Router2 (FE 0/0)  -->  Router2 (FE 0/1)  -->  LAN


I tried configuring on Router1 (FE 0/0) interface and also on Router2 (FE 0/0) interface with same behaviour.  Router2 is used for internal NAT.


bridge irb

bridge 1 protocol ieee

bridge 1 route ip


access-list 750 permit d067.e547.83ea  <-- My PC MAC Address

access-list 750 permit 001d.a2d0.4810  <-- Interface router MAC Address (All matches here)

access-list 750 deny   0000.0000.0000   ffff.ffff.ffff


interface FastEthernet0/0

no ip address

bridge-group 1

bridge-group 1 spanning-disabled

bridge-group 1 input-address-list 750


interface BVI1

ip address 192.168.137.1 255.255.255.252

ip nat inside


Any ideas that could help to get a solution for this, it will be great.


Thanks,

Correct Answer by Peter Paluch about 4 years 11 months ago

Hello Juan Carlos,


MAC addresses are easily spoofed. Basing the security policy on MAC addresses is not a good idea in my opinion, as it does not provide any real increase in security.


I think that a possible way would be to use certificates issued for either users or PCs. However, I am not experienced enough with that. You should probably ask this question in the Security/VPN section - it is my sincere hope that the experts in that section will be able to help you better.


Best regards,

Peter

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Peter Paluch Tue, 09/04/2012 - 13:34
User Badges:
  • Cisco Employee,

Hello,


I am afraid it is not possible to filter VPN clients based on their MAC address if this is what you are trying to accomplish. The reason is fairly simple - in IPsec or SSL VPN, only IP packets are tunneled and encrypted, not entire Ethernet frames. Therefore, the filtering you have configured can not see the clients' MAC addresses and has nothing to act upon.


Is there any particular need for filtering the clients based on their MAC?


Best regards,

Peter

Juan Carlos Ari... Tue, 09/04/2012 - 14:21
User Badges:

Hello Peter,


Thanks for your detailed answer, that are bad news for my requirement.  Our customer needs to implement this policy  cause their business needs the highest security that the one who is login in via VPN client is an authorized user and PC, is a limited access to a server only from specific users and MAC address.


Any other idea how can I solve this??


Thanks again,

Juan Carlos

Correct Answer
Peter Paluch Tue, 09/04/2012 - 14:51
User Badges:
  • Cisco Employee,

Hello Juan Carlos,


MAC addresses are easily spoofed. Basing the security policy on MAC addresses is not a good idea in my opinion, as it does not provide any real increase in security.


I think that a possible way would be to use certificates issued for either users or PCs. However, I am not experienced enough with that. You should probably ask this question in the Security/VPN section - it is my sincere hope that the experts in that section will be able to help you better.


Best regards,

Peter

Juan Carlos Ari... Tue, 09/04/2012 - 15:25
User Badges:

Ok Peter, you're right, I agree with you, certificates is the best way to do this, I'll have to read about it, I just wanted to make a try, it didn't work but I had learn something new today.


Thanks,

Actions

This Discussion