Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6391
Views
0
Helpful
19
Replies

block mac based system to access internet

Amit23
Level 4
Level 4

‎08-23-2012 02:19 AM - edited ‎03-04-2019 05:20 PM

I have a netwokr in which users are getting ip address from DHCP server that is window server.

i want to block some users to access interent by using their device mac address.

i have these devices in my network...

2921 cisco cme router

cisco 2960 switches

cisco 892 cisco internet router

internet ADSL that cnnected with cisco 892...

wireless AP 1142...

i have no firewall or any asa...

please tell how can i block some users for accessing internet but they can access internal network...

for file sharing and prinitng,...

Warm Regard's
Amit Sahrma
Labels:
133826-Cisco Internet Gateway 892.txt.zip
0 Helpful
19 Replies 19

Amit23
Level 4
Level 4
In response to Karsten Iwen

‎08-27-2012 12:15 AM

yes sir!

I am agree with your points but this netwokr is small and limited to users...so i think i can go with this message solution..

let me try and if works...then update you back...

but i have different ip of same subnet as mentioend:

172.16.100.50/24

172.16.100.59/24

172.16.100.78/24

172.16.100.88/24

then how can i apply ACL on my 892 router?

Warm Regard's
Amit Sahrma
0 Helpful

bgraybiel@gmail.com
Level 1
Level 1
In response to Amit23

‎11-14-2017 10:22 PM

HOW TO BLOCK A MAC ADDRESS TO THE INTERNET ON A PRIVATE NETWORK.

 

I'm looking at the same issue for a client. Security and disclosure issues.

 

Trust me, a difficult model to manage, especially in a large node network. Hardware swaps etc.

 

I may be schooled by others who have a bit more experience with CISCO. I wont cry.

 

Not a one man job unless about 25 nodes or less.

A:) I would set up a MAC Address translation table to a range of Specific Range of IP addressees. On the higher range.

B:) For hacking purposes, I would be a little worried about a spoofed MAC address so I would enforce a legit MAC address to access my network and have most setup with static IP's to be able to trace activity on my network. Who did what. To create a random spoofed MAC address that works in this model is really hard. 

C:) If authenticating on a Windows Server I would impose Domain Group Policy. That will be a real user based control model.

 

That is the router.

 

Then you have the firewall. Same concept but you can open and close access to outside IP's and lock down the network further. ie. Access to a corporate Cloud server only, no if's and or buts.

Then, once again, you have issues of sharing user ID's and passwords. But your fall back would be on the MAC address.

And, a big plus is IP logging to see who did what via reporting.

On Facebook all day? Or worse...... Chat sites Vid. Etc.

 

Almost fail safe.

 

Just 30 yrs of network experience.

 

Novell server, Windows networking, Linux, Windows Server, Unix, Token Ring, 10 Base-T Coax, 10 Base CAT-5, 100 base, 1Gb, Fiber.

I'm also a Tier III help desk support specialist. Custom servers, RAID-5, Raid-10, off site backup, redundant off site servers. Disaster recovery.

 

You name it been there done it. ect, etc.

 

Take it or leave it.

 

Just my 2 cents.

 

I do contract work and consultation.

423-755-1358 

0 Helpful

Moses Fernandes
Level 1
Level 1
In response to Amit23

‎11-14-2017 10:59 PM

If you are not willing to push yourself.
I'd suggest you outsource the task or find a new recruit.
Life of a network engineer is not easy and smooth all the time.
Learn to push yourself.

Amit,
If the staff is over smart, I'd suggest you to use the following technology to fulfill your requirement.
1) port security <- No new mac addresses can be added to the switchport.
2) DHCP reservation <-- On the DHCP server.
2) ACL <- Block access to the internet.

Done...

Regards,
Moses.
0 Helpful

bgraybiel@gmail.com
Level 1
Level 1
In response to Peter Paluch

‎11-14-2017 10:37 PM

Peter;

You have the correct concept but I do not know enough to guide him. A hardware firmware solution or an OS solution. I gave him both.

I basically said the same as you did but maybe explaining a bit more logic and concept behind my thought process.

 

Good call! But sometimes users need open access and others very limited.

Two pools on router and firewall with Domain Group Policy for controlled access is the most secure option.

0 Helpful

bgraybiel@gmail.com
Level 1
Level 1

‎11-14-2017 10:56 PM

Amit;

 

After reading what you are dealing with further, without a firewall you can not get to where you want to be. The router is not able to offer port or IP restrictions. Not positive, but that is what I suspect.

 

Using ACL's on your router I do not think will work. Just use your server to authenticate the user and use Group Policy. Your windows server will be your firewall. no investment in a firewall. Just configuration time. 25 nodes is basic stuff.

 

Group policy on a Windows Server is a bitch to learn but once you get it, you have a good leg up on the rest of the IT world.

 

Management and maintenance using GP will save you a lot of time in the long run. 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card