mac-address access lists

steve.kerr · ‎04-27-2006

I have a single remote device attached to a 1700 sereis router. I need to ensure that if anyone disconnects the device, they can't easily plug anything elses in to the router and hence wanted to use a mac-adddress access list.

I have created an access list as follows:

access-list 700 permit xxxx.xxxx.xxxx 0000.0000.0000, but there appears to be no way to add this to the Fa0 interface on the router.

Can anyone confirm if this is possible on a router or does this only work on a switch?

Bobby Thekkekandam · ‎04-27-2006

How is the interface set up? Are you doing something like L3 IP interface transparent bridging?

if so, you could try something like:

bridge-group 1 input-address-list 700

if not, could you post your interface config?

HTH,

Bobby

*Please rate helpful posts.

steve.kerr · ‎04-27-2006

No, its the Ethernet local LAN interface of a routed link so no bridging going on.

Config below:

interface FastEthernet0

description Mufulira Post Office Post Office LAN

ip address xxx.xxx.xxx.xxx 255.255.255.248

ip access-group 120 in

no ip redirects

no ip unreachables

no ip proxy-arp

no ip mroute-cache

speed auto

full-duplex

no cdp enable

IP access lst 120 defines just a single host allowed in to a group of servers.

I'm having to tie everything down as much as possible as its for a remote ATM on the end of a Wireless backhaul link and our Risk people are trying to insist that we use mac address security as well. I am already running a GRE tunnel and IPSec 3DES over the routed portion of the link.