Allow Specific Mac Addresses 2

[MattSavage]

Is it possible to specify a list of mac addresses that are allowed to access the router, and prevent all others from doing so? Right now our Cisco 1760 is running as a DHCP server, so if anyone came into our office and plugged in a laptop, they would have access (although very limited) to our network. I would like to prevent this scenario if possible. Can I specify this in the Cisco Firewall settings?

 

[N3XuS]

aren't there switches between the router and the rj45 outlets ? Normally this is done on the switch.

ea. :

As if that weren’t enough, it may also be advisable to secure ports
associated with key devices such as routers and firewalls by hard coding
their MAC addresses into the switch configuration. This way, any port
that tries to usurp the secured MAC address will also be disabled as a
security violation.
mac-address-table secure AAAA.BBBB.CCCC fastethernet 0/1
mac-address-table secure AAAA.BBBB.CCCC fastethernet 0/2
As stated previously, private VLANs offer some level of protection but it is
felt that the methods used above are sufficiently restrictive to reduce the
need for intra-VLAN separation.

I don't know about mac addresses on routers, but can't it be done with extended access lists ?

 

[MattSavage]

can't it be done with extended access lists ?"

That is what I would like to know. I tried using access-list 700, for instance:

access-list 700 deny abcd.abcd.abcd 0000.0000.0000
access-list 700 permit aaaa.aaaa.aaaa ffff.ffff.ffff

interface fastethernet0/0
bridge-group 1 input-address-list 700
bridge group 1


However, this did nothing for me, and the MAC address i tried to deny still had access.

I would also consider using the DCHP server on the Cisco router to bind addresses to MAC addresses, but I am really not sure how to do this.

 

[Parcival21]

Can you do port security or 802.1x with a router?
That would be a solution

 

[MattSavage]

The switch we have is a Dell PowerConnect 2024, which is an unmanaged switch. There is no way to do any port security on this switch. As far as the router (Cisco 1760) goes, thats what I am trying to find out.

 

[AdmanOK]

The router is a layer three device, it doesn't make decisions based on layer two addresses (ie MAC addresses).

 

[MattSavage]

Thanks AdmanOK. So if I were to purchase a managed switch would I be able to do this easily? Any suggestions on a switch?

 

[N3XuS]

Yup it's ez on a switch as I stated above You can tell each port which MAC address is allowed on it.

 

[MattSavage]

Thanks N3Xus. I guess the next thing to do is get a managed switch. Any ideas on a good but inexpensive 24 port model?

 

[CiscoFreakazoid]

Errmm.... should work that way, I did it, just asking.... didn't you forget to make the access-group entry on the interface you want to apply this access-list to?

 

[chieftan999]

I think the problem is applying the access-listy to the interface.

Routers can make decisions based on MAC addresses, although completing the operation from a switch would be easier.

Standard MAC address access lists are from 700 - 799
Extended MAC address access list numbers 1100 - 1199

Just try out different options.

 

[N3XuS]

sweet didn't know about that

 

[MattSavage]

When would I want to use a Standard MAC address access list and when would I use a Extended. This is the first Cisco router I have ever worked with, so I am still in the dark on many aspects.

 

[N3XuS]

Only difference is that with an extended ACL you can specify more specific traffic that's all. Extended ACLs can block a certain port which can't be done by standard ACLs.