Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

How can i create MAC base ACL in cisco router 2800 &1800

hi,

I want to create mac base ACl for all  users and laptop . So that I can restrict unauthorized user or laptop. MY current scenario is like :---

wireless user/Laptop ------> Access point------->Poe switch (L2)-------> WLC (wireless LAN controller )-------->Radius server ------------>AD------------> LAN

In above scenario unauthorized user can access Internet or can get some access through static IP. So i am planning to implement following because i have Cisco 2800 and Cisco 1800 router  and also due lack of budget.

wireless user/Laptop ------> Access point------->PoE switch (L2)------->Cisco router (with MAC base ACL)--------> WLC-------->Radius server ------------>AD------------> LAN

Please suggest me to resolve this issue.

Thanks & Regards,

Sujeet

3 REPLIES
Silver

Re: How can i create MAC base ACL in cisco router 2800 &1800

A MAC access list on the router as described in this link may work:


http://www.cisco.com/en/US/partner/docs/ios/bridging/command/reference/br_a1.html#wp1010986


The downstream switch is a better place for MAC filtering.  Find the specific manual for the switch hardware/software you have in order to filter there.



Chris

New Member

Re: How can i create MAC base ACL in cisco router 2800 &1800

Hi,

Sorry for late reply.

I am not able to access link , which is send by you.

Please send me another link.

Silver

Re: How can i create MAC base ACL in cisco router 2800 &1800

This may be hardware/feature set/IOS dependant.


##########

access-list (standard-ibm)

To establish a MAC address access list, use the access-list command in global configuration mode. To remove access list, use the no form of this command.

access-list access-list-number {permit | deny} address mask

no access-list access-list-number

Syntax Description

access-list-number

Integer from 700 to 799 that you select for the list.

permit

Permits the frame.

deny

Denies the frame.

address mask

48-bit MAC addresses written as a dotted triple of four-digit hexadecimal numbers. The ones bits in the mask argument are the bits to be ignored in address.


Defaults

No MAC address access lists are established.

Command Modes

Global configuration

Command History

Release
Modification

10.0

This command was introduced.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.


Usage Guidelines

Configuring bridging access lists of type 700 may cause a momentary interruption of traffic flow.

Examples

The following example assumes that you want to disallow the bridging of  Ethernet packets of all Sun workstations on Ethernet interface 1.  Software assumes that all such hosts have Ethernet addresses with the  vendor code 0800.2000.0000. The first line of the access list denies  access to all Sun workstations, and the second line permits everything  else. You then assign the access list to the input side of Ethernet  interface 1.

access-list 700 deny 0800.2000.0000 0000.00FF.FFFF
access-list 700 permit 0000.0000.0000 FFFF.FFFF.FFFF
!
interface ethernet 1
 bridge-group 1 input-address-list 700

Related Commands

Command
Description

access-list (type-code-ibm)

Builds type-code access lists.


12158
Views
10
Helpful
3
Replies
CreatePlease to create content