10-20-2005 05:11 AM - edited 03-03-2019 12:30 AM
Hi :
I have cisco router 837, nating ,DHCP enabled, i want to block user from using internet coz virus issue , what command i can use to control this by MAC address & ip ?
Thanks
10-20-2005 05:40 AM
Create an advanced access-list
The link below will provide you with examples
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/secur_c/scprt3/scacls.htm
10-20-2005 06:06 AM
Hi :
first thanks for reply , but acces list will block just IP address , this will not solve my problem , in case if user change his IP address , he still can access to internet ,
& access list using the MAC address it will not work with cisco router coz cannot be apply to ethernet interface ( i don't know !!! )
Note : MAC access-list i can wite it under config mode but no pleace to apply it under Eth0
10-20-2005 08:58 PM
Hi
As you hav mentioned that you are using DHCP using Access-list match the whole address space which is being used in the DHCP pool so that if the user changes the ip he still wont be able to access the net.
If you are not using the DHCP then also you can match the address space being used in the local LAN in the access-list which you use up to block for internet access.
AFAIK MAC access-list works with the catalyst switches and i havent seen any instance or support for the same in the routers.
regds
10-20-2005 10:38 PM
As per the previous poster here is the link for the mac access list.
10-23-2005 02:05 AM
Hi :
Thxs all for reply , but my problem is within the pool of IP addresses i created , & even if i user access-list user stil can change his ip addess staticly , what i'm trying to say that i'm dealing with profesional users . i want to force them for one IP & in case of they try to change it i can block it .
note: access-list will not work with this
10-23-2005 01:26 PM
How about a combination of a static arp entry on the access switch and statically assigning the same ip to the same MAC address?
Maybe that would work.
Switch config:
mac-address-table static 0000.1234.5678 vlan 1 interface FastEthernet0/1
!
Interface FastEthernet 0/1
switchport port-security maximum 1 vlan access
C837 config:
arp 10.10.10.10 0000.1234.5678 ARPA
!
ip dhcp pool 10.10.10.10
host 10.10.10.10 255.255.255.0
client-identifier 0100.0012.3456.78
default-router 10.10.10.1
lease infinite
Now it should be just a matter of blocking the ip address 10.10.10.10 in your outbound ACL on the ATM interface (or maybe Dialer interface) on the C837.
Please let me now what you think.
10-23-2005 10:41 PM
Hi:
Thanks tekha for this good solution , i already used this yesterday for controling DHCP IP's & it seems it work fine & but now the user i blocked it after using this solution is configuring his ip as static on his windows Xp machine , i still can control his static IP by this command u mentioned above ( ARP )but for a while , because if he change again his IP address staticly ( manually ) , he still can access to entenet coz this ARP command blocking per IP's not per MAC address .
Remmeber this user is profesional .
10-24-2005 05:33 AM
OK, I'm not 100% sure on this one, because I've never tried it out.
But please check this out.
You've allready made sure the user cannot change his MAC address, and he will allways be assigned the same IP, so the only thing you need now is to make sure he doesn't "steal" another IP address, wright?
10-27-2005 09:47 AM
hi :
the problem i don't have any managed switch & yes what i want is to restrict him not to steal another address .
till now he is using same MAC address .
Note : this site u gave it is for switches not routers
10-28-2005 07:48 AM
I'm sorry I just took it for granted that you would have a Cisco switch behind the router.
Does this meen that the only managed equipment you have is the 800 router?
If it is, I don't really see how we can keep the user from stealing an ip address, sorry:-(.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide