Cisco 1700 series router

In conf t mode the menu says for mac-addr list use 700-799
Ok this is no problem, but when I go to the serial or fast ethernet interfaces I cannot see in the menus any command for assigning the mac-addr access-group to the interface.
There are menus for Ip & IPX but none for mac-addr.

Any ideas ?

 

Not sure you can. MAC address acls tend to be used for fairly specific things in IOS- Lots of the old IBM interoperability bits like DLSW, bridging etc.

I'll have a dig around.

Deano

 

You might be able to achive the same affect by applying some QoS policys. You can filter on MAC address for these so may be able to give a "no traffic" policy to that MAC address

How badly do you need to filter on MAC and not IP ? (and what IOS ver ?)

Deano

 

Cant remember the software ver

The routers are being sent out to a 3rd party to access our network - we have our own firewall
the users wanted to tie it down to mac - they reckoned it is more secure than IP addresses.

My main point though is that if it is unsupported in the IOS how come you can define the access-list in conf t mode
The problem is i cannot see a way in the interface mode to apply the access-group to the interface

 

Just had a look at this. I think that the MAC Address Access list 700-799 can only be used when using lex interfaces, source route bridging on token ring and normal bridging on ethernet.

What are you trying to do?

Si

 

If you want to control who has access to the network then you can implement IOS Firewall Authentication proxy. As already mentioned by Deano you can also do the MAC address stuff using CAR.

Link for CAR stuff http://www.cisco.com/univercd/cc/td/...fcar.htm#38068

Link for IOS Firewall stuff
http://www.cisco.com/univercd/cc/td/...2/iosfw2_1.htm

Si

[Edited by SiCotty - 6/21/2002 10:18:51 AM]

 

Its there because they can be used elsewhere. I've used them to filter DLSW conversations in the past.

Not entirely sure why anyone would consider MAC address to be more secure than IP. Most Network drivers let you reconfigure a MAC address almost as easily as you can change the ip address these days.

Deano

 

NDIS spec states that you can spoof the mac address (or something similar) it is simply a registry key to change on nt server..

this is how compaq do it anyway...

Mac certainly aint secure anymore..

Set each machines mac to the same as the default gateway

David

 

It was the user that had specifically asked for mac-addr to be used.
Yeah it is true some addresses can be changed - I have now set up the lists using IP addresses. Makes it easier for us, we can tell the user what IP addresses to use intead of them telling us what mac-addr they have.