Solved: Filter MAC list on Router with VPN Remote Access

Juan Carlos Arias Perez · ‎09-04-2012

I have a router 2811 that it's configured with VPN remote access and I'm trying to block clients based on their MAC address, I tried configuring

access interface as routing/bridging, configured an ACL 750 for 48-bit MAC address access list and enable "bridge-group 1 input-address-list 750" command on bridged interface, but the only match I got when VPN clients access the LAN is from router interface.

Internet(VPN) ---> Router1 (FE 0/1) ---> Router1 (FE 0/0) --> Router2 (FE 0/0) --> Router2 (FE 0/1) --> LAN

I tried configuring on Router1 (FE 0/0) interface and also on Router2 (FE 0/0) interface with same behaviour. Router2 is used for internal NAT.

bridge irb

bridge 1 protocol ieee

bridge 1 route ip

access-list 750 permit d067.e547.83ea <-- My PC MAC Address

access-list 750 permit 001d.a2d0.4810 <-- Interface router MAC Address (All matches here)

access-list 750 deny 0000.0000.0000 ffff.ffff.ffff

interface FastEthernet0/0

no ip address

bridge-group 1

bridge-group 1 spanning-disabled

bridge-group 1 input-address-list 750

interface BVI1

ip address 192.168.137.1 255.255.255.252

ip nat inside

Any ideas that could help to get a solution for this, it will be great.

Thanks,

Peter Paluch · ‎09-04-2012

Hello Juan Carlos,

MAC addresses are easily spoofed. Basing the security policy on MAC addresses is not a good idea in my opinion, as it does not provide any real increase in security.

I think that a possible way would be to use certificates issued for either users or PCs. However, I am not experienced enough with that. You should probably ask this question in the Security/VPN section - it is my sincere hope that the experts in that section will be able to help you better.

Best regards,

Peter

View solution in original post

Peter Paluch · ‎09-04-2012

Hello,

I am afraid it is not possible to filter VPN clients based on their MAC address if this is what you are trying to accomplish. The reason is fairly simple - in IPsec or SSL VPN, only IP packets are tunneled and encrypted, not entire Ethernet frames. Therefore, the filtering you have configured can not see the clients' MAC addresses and has nothing to act upon.

Is there any particular need for filtering the clients based on their MAC?

Best regards,

Peter

Juan Carlos Arias Perez · ‎09-04-2012

Hello Peter,

Thanks for your detailed answer, that are bad news for my requirement. Our customer needs to implement this policy cause their business needs the highest security that the one who is login in via VPN client is an authorized user and PC, is a limited access to a server only from specific users and MAC address.

Any other idea how can I solve this??

Thanks again,

Juan Carlos

Peter Paluch · ‎09-04-2012

Hello Juan Carlos,

MAC addresses are easily spoofed. Basing the security policy on MAC addresses is not a good idea in my opinion, as it does not provide any real increase in security.

I think that a possible way would be to use certificates issued for either users or PCs. However, I am not experienced enough with that. You should probably ask this question in the Security/VPN section - it is my sincere hope that the experts in that section will be able to help you better.

Best regards,

Peter

Juan Carlos Arias Perez · ‎09-04-2012

Ok Peter, you're right, I agree with you, certificates is the best way to do this, I'll have to read about it, I just wanted to make a try, it didn't work but I had learn something new today.

Thanks,