Hi :

first thanks for reply , but acces list will block just IP address , this will not solve my problem , in case if user change his IP address , he still can access to internet ,

& access list using the MAC address it will not work with cisco router coz cannot be apply to ethernet interface ( i don't know !!! )

Note : MAC access-list i can wite it under config mode but no pleace to apply it under Eth0

Hi

As you hav mentioned that you are using DHCP using Access-list match the whole address space which is being used in the DHCP pool so that if the user changes the ip he still wont be able to access the net.

If you are not using the DHCP then also you can match the address space being used in the local LAN in the access-list which you use up to block for internet access.

AFAIK MAC access-list works with the catalyst switches and i havent seen any instance or support for the same in the routers.

regds

As per the previous poster here is the link for the mac access list.

http://www.cisco.com/en/US/products/hw/switches/ps646/products_configuration_example09186a0080470c39.shtml

Hi :

Thxs all for reply , but my problem is within the pool of IP addresses i created , & even if i user access-list user stil can change his ip addess staticly , what i'm trying to say that i'm dealing with profesional users . i want to force them for one IP & in case of they try to change it i can block it .

note: access-list will not work with this

How about a combination of a static arp entry on the access switch and statically assigning the same ip to the same MAC address?

Maybe that would work.

Switch config:

mac-address-table static 0000.1234.5678 vlan 1 interface FastEthernet0/1

!

Interface FastEthernet 0/1

switchport port-security maximum 1 vlan access

C837 config:

arp 10.10.10.10 0000.1234.5678 ARPA

!

ip dhcp pool 10.10.10.10

host 10.10.10.10 255.255.255.0

client-identifier 0100.0012.3456.78

default-router 10.10.10.1

lease infinite

Now it should be just a matter of blocking the ip address 10.10.10.10 in your outbound ACL on the ATM interface (or maybe Dialer interface) on the C837.

Please let me now what you think.

Hi:

Thanks tekha for this good solution , i already used this yesterday for controling DHCP IP's & it seems it work fine & but now the user i blocked it after using this solution is configuring his ip as static on his windows Xp machine , i still can control his static IP by this command u mentioned above ( ARP )but for a while , because if he change again his IP address staticly ( manually ) , he still can access to entenet coz this ARP command blocking per IP's not per MAC address .

Remmeber this user is profesional .

OK, I'm not 100% sure on this one, because I've never tried it out.

But please check this out.

http://www.cisco.com/en/US/products/hw/switches/ps5023/products_configuration_guide_chapter09186a0080476208.html#wp1214775

You've allready made sure the user cannot change his MAC address, and he will allways be assigned the same IP, so the only thing you need now is to make sure he doesn't "steal" another IP address, wright?

hi :

the problem i don't have any managed switch & yes what i want is to restrict him not to steal another address .

till now he is using same MAC address .

Note : this site u gave it is for switches not routers

I'm sorry I just took it for granted that you would have a Cisco switch behind the router.

Does this meen that the only managed equipment you have is the 800 router?

If it is, I don't really see how we can keep the user from stealing an ip address, sorry:-(.