01-07-2009 11:45 PM - edited 03-06-2019 03:18 AM
Hi All !
Been trying to block the Devices by MAC addresses wise.
My idea is to create "access-list 700 permit XXXX.XXXX.XXXX".
I'd like to add the access-lis in "ip nat inside source 700 pool natpool overload"
will it allow specifying the devices with specific MAC addresses.
Plz. give me some solutions,controlling devices MAC address wise.
thanx.
Vanna
Solved! Go to Solution.
01-10-2009 08:52 AM
Hello Vanna,
to apply the MAC ACL try
int f0/0
bridge-group 1 input-address-list 702
Hope to help
Giuseppe
01-08-2009 01:38 AM
hello Vanna,
I think you should use a different approach:
NAT is a layer3 and above feature and shouldn't accept a layer2 ACL as a parameter to decide what needs to be translated.
You should use DAI, IP source guard, DHCP snooping on the LAN switch to distinguish legitimate users from not legitimate users/devices.
Or you could use 802.1X on the lan switch
see
Hope to help
Giuseppe
01-09-2009 09:06 PM
Thanx!
Whther i can do the "Bridge Group" feature in router to do MAC filtering.?
Do u conclude that Without the use of Switch, We can not do any MAC filtering.
Vanna
01-10-2009 02:51 AM
Hello Vanna,
for implementing MAC address based filtering on a router you need
to use an interface that is not enabled for IP routing.
The interface can be member of a bridge-group.
To provide L3 services you need to use IRB (integrated routing and bridging).
In this case interface BVix x= bridge-group number is the L3 object providing routing services and where you apply the ip nat inside command
the physical interface f0/0
bridge 1 protocol iee
bridge 1 route ip
int f0/0
no ip addr
bridge-group 1
! here you apply the MAC ACL 700-799 range
int BVI1
ip address 10.10.10.1 255.255.255.0
ip nat inside
no shut
There was a recent thread about usage of MAC ACL on routers.
In this way using a single router you could achieve the desired result.
Hope to help
Giuseppe
01-10-2009 04:40 AM
I have been trying to create IRB quite, but failed.
I tried to apply mac access-list to int f0/0 aftr creating bridge-group 1.
N created access list also.
But no clue how to apply the list on the interface.when i "ip access-group?" , it shows only the following.
<1-199> IP access list (standard or extended)
<1300-2699> IP expanded access list (standard or extended)
WORD Access-list name
Plz. what command to use to apply accesslist On fa0/0.
thanx
regds.
Vanna
01-10-2009 08:52 AM
Hello Vanna,
to apply the MAC ACL try
int f0/0
bridge-group 1 input-address-list 702
Hope to help
Giuseppe
01-10-2009 10:59 PM
Hi !
Than U so much !
I have managed to apply Mac filtering!
Now i need to test the NAT part! i hope it should work.
i have a problem in edting Accesslist 700.
When i issue Sh Access-list or Sh run , access list 700 is not shown. I need to edit the access-list too.
thanx
01-11-2009 11:45 AM
Hello Vanna,
thanks for your kind remarks !
you should be able to see the ACL with:
sh access-list
and also in sh run
try to define a new ACL 701 and then see if you can see it in sh run and sh access-list
The ACL can have more statements so you should be able to add lines as you like
notice that the parameters are source MAC address and the second is a wildcard mask:
0000.0000.0000 to match a single MAC address (like the host option in IP ACLs)
Hope to help
Giuseppe
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide