Cisco router - access list using mac_addr
20 June 2002, 08:12 PM
#1
Scooby Regular
Thread Starter
Join Date: May 2002
Posts: 428
Likes: 0
Received 0 Likes
on
0 Posts
Cisco 1700 series router
In conf t mode the menu says for mac-addr list use 700-799
Ok this is no problem, but when I go to the serial or fast ethernet interfaces I cannot see in the menus any command for assigning the mac-addr access-group to the interface.
There are menus for Ip & IPX but none for mac-addr.
Any ideas ?
In conf t mode the menu says for mac-addr list use 700-799
Ok this is no problem, but when I go to the serial or fast ethernet interfaces I cannot see in the menus any command for assigning the mac-addr access-group to the interface.
There are menus for Ip & IPX but none for mac-addr.
Any ideas ?
20 June 2002, 10:16 PM
#2
Scooby Regular
Join Date: Mar 1999
Posts: 4,518
Likes: 0
Received 0 Likes
on
0 Posts
Not sure you can. MAC address acls tend to be used for fairly specific things in IOS- Lots of the old IBM interoperability bits like DLSW, bridging etc.
I'll have a dig around.
Deano
I'll have a dig around.
Deano
20 June 2002, 10:32 PM
#3
Scooby Regular
Join Date: Mar 1999
Posts: 4,518
Likes: 0
Received 0 Likes
on
0 Posts
You might be able to achive the same affect by applying some QoS policys. You can filter on MAC address for these so may be able to give a "no traffic" policy to that MAC address
How badly do you need to filter on MAC and not IP ? (and what IOS ver ?)
Deano
How badly do you need to filter on MAC and not IP ? (and what IOS ver ?)
Deano
20 June 2002, 11:08 PM
#4
Scooby Regular
Thread Starter
Join Date: May 2002
Posts: 428
Likes: 0
Received 0 Likes
on
0 Posts
Cant remember the software ver
The routers are being sent out to a 3rd party to access our network - we have our own firewall
the users wanted to tie it down to mac - they reckoned it is more secure than IP addresses.
My main point though is that if it is unsupported in the IOS how come you can define the access-list in conf t mode
The problem is i cannot see a way in the interface mode to apply the access-group to the interface
The routers are being sent out to a 3rd party to access our network - we have our own firewall
the users wanted to tie it down to mac - they reckoned it is more secure than IP addresses.
My main point though is that if it is unsupported in the IOS how come you can define the access-list in conf t mode
The problem is i cannot see a way in the interface mode to apply the access-group to the interface
21 June 2002, 10:06 AM
#5
Scooby Regular
Join Date: Jan 2001
Posts: 442
Likes: 0
Received 0 Likes
on
0 Posts
Just had a look at this. I think that the MAC Address Access list 700-799 can only be used when using lex interfaces, source route bridging on token ring and normal bridging on ethernet.
What are you trying to do?
Si
What are you trying to do?
Si
21 June 2002, 10:17 AM
#6
Scooby Regular
Join Date: Jan 2001
Posts: 442
Likes: 0
Received 0 Likes
on
0 Posts
If you want to control who has access to the network then you can implement IOS Firewall Authentication proxy. As already mentioned by Deano you can also do the MAC address stuff using CAR.
Link for CAR stuff http://www.cisco.com/univercd/cc/td/...fcar.htm#38068
Link for IOS Firewall stuff
http://www.cisco.com/univercd/cc/td/...2/iosfw2_1.htm
Si
[Edited by SiCotty - 6/21/2002 10:18:51 AM]
Link for CAR stuff http://www.cisco.com/univercd/cc/td/...fcar.htm#38068
Link for IOS Firewall stuff
http://www.cisco.com/univercd/cc/td/...2/iosfw2_1.htm
Si
[Edited by SiCotty - 6/21/2002 10:18:51 AM]
21 June 2002, 10:36 AM
#7
Scooby Regular
Join Date: Mar 1999
Posts: 4,518
Likes: 0
Received 0 Likes
on
0 Posts
Its there because they can be used elsewhere. I've used them to filter DLSW conversations in the past.
Not entirely sure why anyone would consider MAC address to be more secure than IP. Most Network drivers let you reconfigure a MAC address almost as easily as you can change the ip address these days.
Deano
Not entirely sure why anyone would consider MAC address to be more secure than IP. Most Network drivers let you reconfigure a MAC address almost as easily as you can change the ip address these days.
Deano
Trending Topics
21 June 2002, 10:56 AM
#8
Scooby Regular
Join Date: Nov 2001
Location: Leeds - It was 562.4bhp@28psi on Optimax, How much closer to 600 with race fuel and a bigger turbo?
Posts: 15,239
Likes: 0
Received 1 Like
on
1 Post
NDIS spec states that you can spoof the mac address (or something similar) it is simply a registry key to change on nt server..
this is how compaq do it anyway...
Mac certainly aint secure anymore..
Set each machines mac to the same as the default gateway
David
this is how compaq do it anyway...
Mac certainly aint secure anymore..
Set each machines mac to the same as the default gateway
David
21 June 2002, 06:25 PM
#9
Scooby Regular
Thread Starter
Join Date: May 2002
Posts: 428
Likes: 0
Received 0 Likes
on
0 Posts
It was the user that had specifically asked for mac-addr to be used.
Yeah it is true some addresses can be changed - I have now set up the lists using IP addresses. Makes it easier for us, we can tell the user what IP addresses to use intead of them telling us what mac-addr they have.
Yeah it is true some addresses can be changed - I have now set up the lists using IP addresses. Makes it easier for us, we can tell the user what IP addresses to use intead of them telling us what mac-addr they have.
Thread
Thread Starter
Forum
Replies
Last Post
