Cisco router - access list using mac_addr
#1
Cisco 1700 series router
In conf t mode the menu says for mac-addr list use 700-799
Ok this is no problem, but when I go to the serial or fast ethernet interfaces I cannot see in the menus any command for assigning the mac-addr access-group to the interface.
There are menus for Ip & IPX but none for mac-addr.
Any ideas ?
In conf t mode the menu says for mac-addr list use 700-799
Ok this is no problem, but when I go to the serial or fast ethernet interfaces I cannot see in the menus any command for assigning the mac-addr access-group to the interface.
There are menus for Ip & IPX but none for mac-addr.
Any ideas ?
#2
Not sure you can. MAC address acls tend to be used for fairly specific things in IOS- Lots of the old IBM interoperability bits like DLSW, bridging etc.
I'll have a dig around.
Deano
I'll have a dig around.
Deano
#3
You might be able to achive the same affect by applying some QoS policys. You can filter on MAC address for these so may be able to give a "no traffic" policy to that MAC address
How badly do you need to filter on MAC and not IP ? (and what IOS ver ?)
Deano
How badly do you need to filter on MAC and not IP ? (and what IOS ver ?)
Deano
#4
Cant remember the software ver
The routers are being sent out to a 3rd party to access our network - we have our own firewall
the users wanted to tie it down to mac - they reckoned it is more secure than IP addresses.
My main point though is that if it is unsupported in the IOS how come you can define the access-list in conf t mode
The problem is i cannot see a way in the interface mode to apply the access-group to the interface
The routers are being sent out to a 3rd party to access our network - we have our own firewall
the users wanted to tie it down to mac - they reckoned it is more secure than IP addresses.
My main point though is that if it is unsupported in the IOS how come you can define the access-list in conf t mode
The problem is i cannot see a way in the interface mode to apply the access-group to the interface
#5
Just had a look at this. I think that the MAC Address Access list 700-799 can only be used when using lex interfaces, source route bridging on token ring and normal bridging on ethernet.
What are you trying to do?
Si
What are you trying to do?
Si
#6
If you want to control who has access to the network then you can implement IOS Firewall Authentication proxy. As already mentioned by Deano you can also do the MAC address stuff using CAR.
Link for CAR stuff http://www.cisco.com/univercd/cc/td/...fcar.htm#38068
Link for IOS Firewall stuff
http://www.cisco.com/univercd/cc/td/...2/iosfw2_1.htm
Si
[Edited by SiCotty - 6/21/2002 10:18:51 AM]
Link for CAR stuff http://www.cisco.com/univercd/cc/td/...fcar.htm#38068
Link for IOS Firewall stuff
http://www.cisco.com/univercd/cc/td/...2/iosfw2_1.htm
Si
[Edited by SiCotty - 6/21/2002 10:18:51 AM]
#7
Its there because they can be used elsewhere. I've used them to filter DLSW conversations in the past.
Not entirely sure why anyone would consider MAC address to be more secure than IP. Most Network drivers let you reconfigure a MAC address almost as easily as you can change the ip address these days.
Deano
Not entirely sure why anyone would consider MAC address to be more secure than IP. Most Network drivers let you reconfigure a MAC address almost as easily as you can change the ip address these days.
Deano
Trending Topics
#8
Scooby Regular
Join Date: Nov 2001
Location: Leeds - It was 562.4bhp@28psi on Optimax, How much closer to 600 with race fuel and a bigger turbo?
Posts: 15,239
Likes: 0
Received 1 Like
on
1 Post
NDIS spec states that you can spoof the mac address (or something similar) it is simply a registry key to change on nt server..
this is how compaq do it anyway...
Mac certainly aint secure anymore..
Set each machines mac to the same as the default gateway
David
this is how compaq do it anyway...
Mac certainly aint secure anymore..
Set each machines mac to the same as the default gateway
David
#9
It was the user that had specifically asked for mac-addr to be used.
Yeah it is true some addresses can be changed - I have now set up the lists using IP addresses. Makes it easier for us, we can tell the user what IP addresses to use intead of them telling us what mac-addr they have.
Yeah it is true some addresses can be changed - I have now set up the lists using IP addresses. Makes it easier for us, we can tell the user what IP addresses to use intead of them telling us what mac-addr they have.
Thread
Thread Starter
Forum
Replies
Last Post