Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

block mac based system to access internet

I have a netwokr in which users are getting ip address from DHCP server that is window server.

i want to block some users to access interent by using their device mac address.

i have these devices in my network...

2921 cisco cme router

cisco 2960 switches

cisco 892 cisco internet router

internet ADSL that cnnected with cisco 892...

wireless AP 1142...

i have no firewall or any asa...

please tell how can i block some users for accessing internet but they can access internal network...

for file sharing and prinitng,...

Warm Regard's =========== Amit
Everyone's tags (1)
19 REPLIES
VIP Purple

block mac based system to access internet

That's not that easy to achieve ...

If there are not that many devices that need this special treatment, then I would go the following way:

1) On your DHCP-server configure a reservation for these devices so that they get an IP from a reserved IP-range (allign the range on subnet-boundaries).

2) On your Internet-Router, configure an ACL that denies the traffic from this range to the internet or even completely (as desired).

This will only work if your users are not so savvy to change their MAC-addresses to something that is not in your reserved DHCP-Pool.

The technically better way could be to deploy port-based authentication (802.1x) based on MAC-addresses. But that is more complex then the DHCP-solution.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Community Member

block mac based system to access internet

how cna i reserve my mac with specified ip address of dhcp pool...and how then block that reserve address for accessing internet?

Warm Regard's =========== Amit

block mac based system to access internet

Here your example an an idea more well documented (easy documented )

http://cauew.blogspot.ie/2008/08/vacl-vlan-maps-mac-acl.html

Alessio

VIP Purple

Re: block mac based system to access internet

I don't think that the 2960 supports VACLs ...

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Re: block mac based system to access internet

Hi Karsten,

MAC filter was the idea and that can be applied. However, that is what Peter found out some time ago:

https://supportforums.cisco.com/thread/2095823

Alessio

Cisco Employee

block mac based system to access internet

Hello Alessio,

You have quite an overview! Yes, indeed - the 2960 Catalysts appear to unofficially support VACLs with the most recent IOS versions. I haven't had any more word from Cisco on that but I guess that once they got it running, they're probably not going to throw this functionality away.

Blocking IP traffic based on MAC addresses is generally difficult on recent Catalyst switches. This is because a MAC ACL applies only to non-IP traffic. In other words, you can not use MAC ACL to filter frames that carry IP packets. This is valid for 2960, 3560 and higher switches. Older switches behaved differently, e.g. the 2950 switch was capable of filtering even IP traffic by a MAC ACL. However, because Sharma has a 2960 switch, the MAC ACLs or VACLs are not an option for him to filter IP traffic based on MAC ACLs.

Remember that if you will filter these guys in order to access the internet, possibly the ACL direction should be out:

ip access-group acl_number out

Ummm, this would not work, sadly, because of two reasons:

  • You cannot refer to a MAC ACL using the ip access-group command. You need to use the mac access-group instead.
  • Low-end Catalysts like 2960 support only the in direction for port ACLs. The out direction is not available

I do not think that the router supports MAC ACLs at all.

In my personal opinion, the correct solution should be:

  • Assign all IP addresses from the DHCP server based on clients' MAC addresses (a static binding on the DHCP server making sure that a single MAC address always gets the same IP address)
  • On the 2960, use the DHCP Snooping, Dynamic ARP Inspection and IP Source Guard to prevent stations from stealing and/or spoofing their IPs or MAC addresses.
  • Perform further filtering based on IP addresses, as the steps above will ensure a 1:1 IP:MAC mapping.

Would this be an acceptable solution for you, Sharma?

Best regards,

Peter

Community Member

block mac based system to access internet

Dear frds...

is it any other way that can use for block these mac address based users to access internet....?

Warm Regard's =========== Amit
VIP Purple

Re: block mac based system to access internet

You want more possibilities? 

1) What about forcing the users to access the internet through a proxy and authenticate them there? That will help if you want to restrict certain users from accessing the internet and not only users of particular PCs.

2) If you have a flat network, you could remove the default-gateway from the machines that shouldn't go to the internet.

Both solutions can only work if your users don't have admin-rights on their PCs.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Community Member

Re: block mac based system to access internet

Dear Guys...

I don't have prosy in my network.....

So if i remove the gateway from my end user pc it will able to access to other system and internal resurces within the network?

if not then how can i go for this issue?

if i assigned ip from DHCP and exclude ffrom DHCP those address...after that apply ACL for block those address to go internet...

would be this work and where to apply and define ACL?

Warm Regard's =========== Amit
VIP Purple

Re: block mac based system to access internet

So if i remove the gateway from my end user pc it will able to access to other system and internal resurces within the network?

Only the ressources in their own subnet. In your config there are two static routes to networks 172.16.0.0 and 172.16.110.0. For theses Networks the PCs would also need static routes.

if i assigned ip from DHCP and exclude ffrom DHCP those address...after that apply ACL for block those address to go internet...

would be this work and where to apply and define ACL?

Lets assume your restricted users all get IPs in the Range 172.16.100.225-172.16.100.254. Then your router-config needs this addition:

object-group network RFC1918

  10.0.0.0 255.0.0.0

  172.16.0.0 255.240.0.0

  192.168.0.0 255.255.0.0

ip access-list extended INTERNAL-IN

  permit ip any object-group RFC1918

  deny ip 172.16.100.224 0.0.0.31 any

  permit ip any any

interface Vlan100

  ip access-group INTERNAL-IN in

With this config all traffic entering your router on the inside interface is filtered by the ACL INTERNAL-IN. If you later add another internal subnet or VPN to your router, these will probably use IPs from the RFC1918-range, so that traffic is allowed. Then the restricted PCs are not allowed to go anywhere. The rest is again allowed.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Community Member

Re: block mac based system to access internet

Dear Sir,

I have aroudn 10-20 users in rnage of 172.16.100.0/24 subnet...

i don't want to block all users...but limited users...as

172.16.100.50

51

55

80

90

110

134

155

188

like these ip address need to block for internet but not to block internal netwokr access with other devices as printer file server and other systems...

how can do for this solution?

Warm Regard's =========== Amit
VIP Purple

Re: block mac based system to access internet

You have to give these users a reserved IP in the given range. Or in any range you want. Then you have to adjust the ACL.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Community Member

Re: block mac based system to access internet

ok sir!

but if i gave them the ip address in same range as..

172.16.100.50-70/24

then can i apply ACL as you mentioned above message?

thanks

Warm Regard's =========== Amit
VIP Purple

Re: block mac based system to access internet

Then your ACL has to be written in a different way which is less flexible if you later add other networking-devices to your network:

object-group network RFC1918

  10.0.0.0 255.0.0.0

  172.16.0.0 255.240.0.0

  192.168.0.0 255.255.0.0

object-group network NO-INTERNET

  range 172.16.100.50 172.16.100.70

ip access-list extended INTERNAL-IN

  permit ip any object-group RFC1918

  deny ip object-group NO-INTERNET any

  permit ip any any

interface Vlan100

  ip access-group INTERNAL-IN in

It's better to have the reserved addresses on a subnet-boundary (.32-.63 or 64-91 or something like that.)

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Community Member

Re: block mac based system to access internet

yes sir!

I am agree with your points but this netwokr is small and limited to users...so i think i can go with this message solution..

let me try and if works...then update you back...

but i have different ip of same subnet as mentioend:

172.16.100.50/24

172.16.100.59/24

172.16.100.78/24

172.16.100.88/24

then how can i apply ACL on my 892 router?

Warm Regard's =========== Amit
Community Member

Re: block mac based system to access internet

HOW TO BLOCK A MAC ADDRESS TO THE INTERNET ON A PRIVATE NETWORK.

 

I'm looking at the same issue for a client. Security and disclosure issues.

 

Trust me, a difficult model to manage, especially in a large node network. Hardware swaps etc.

 

I may be schooled by others who have a bit more experience with CISCO. I wont cry.

 

Not a one man job unless about 25 nodes or less.

A:) I would set up a MAC Address translation table to a range of Specific Range of IP addressees. On the higher range.

B:) For hacking purposes, I would be a little worried about a spoofed MAC address so I would enforce a legit MAC address to access my network and have most setup with static IP's to be able to trace activity on my network. Who did what. To create a random spoofed MAC address that works in this model is really hard. 

C:) If authenticating on a Windows Server I would impose Domain Group Policy. That will be a real user based control model.

 

That is the router.

 

Then you have the firewall. Same concept but you can open and close access to outside IP's and lock down the network further. ie. Access to a corporate Cloud server only, no if's and or buts.

Then, once again, you have issues of sharing user ID's and passwords. But your fall back would be on the MAC address.

And, a big plus is IP logging to see who did what via reporting.

On Facebook all day? Or worse...... Chat sites Vid. Etc.

 

Almost fail safe.

 

Just 30 yrs of network experience.

 

Novell server, Windows networking, Linux, Windows Server, Unix, Token Ring, 10 Base-T Coax, 10 Base CAT-5, 100 base, 1Gb, Fiber.

I'm also a Tier III help desk support specialist. Custom servers, RAID-5, Raid-10, off site backup, redundant off site servers. Disaster recovery.

 

You name it been there done it. ect, etc.

 

Take it or leave it.

 

Just my 2 cents.

 

I do contract work and consultation.

423-755-1358 

Community Member

Re: block mac based system to access internet

If you are not willing to push yourself.
I'd suggest you outsource the task or find a new recruit.
Life of a network engineer is not easy and smooth all the time.
Learn to push yourself.

Amit,
If the staff is over smart, I'd suggest you to use the following technology to fulfill your requirement.
1) port security <- No new mac addresses can be added to the switchport.
2) DHCP reservation <-- On the DHCP server.
2) ACL <- Block access to the internet.

Done...

Regards,
Moses.
Community Member

Re: block mac based system to access internet

Peter;

You have the correct concept but I do not know enough to guide him. A hardware firmware solution or an OS solution. I gave him both.

I basically said the same as you did but maybe explaining a bit more logic and concept behind my thought process.

 

Good call! But sometimes users need open access and others very limited.

Two pools on router and firewall with Domain Group Policy for controlled access is the most secure option.

Community Member

Re: block mac based system to access internet

Amit;

 

After reading what you are dealing with further, without a firewall you can not get to where you want to be. The router is not able to offer port or IP restrictions. Not positive, but that is what I suspect.

 

Using ACL's on your router I do not think will work. Just use your server to authenticate the user and use Group Policy. Your windows server will be your firewall. no investment in a firewall. Just configuration time. 25 nodes is basic stuff.

 

Group policy on a Windows Server is a bitch to learn but once you get it, you have a good leg up on the rest of the IT world.

 

Management and maintenance using GP will save you a lot of time in the long run. 

3164
Views
0
Helpful
19
Replies
CreatePlease to create content