Mixing of IP and MAC ACLs

[vbahuse]

I've run into a problem which I'm not sure of how (if possible) to configure.

I have been asked to tighten up some routing / ACL rules on a Catalyst 3560 to only allow authorised computers access to a protected LAN. The inside/protected LAN is vlan1 and uses 192.168.253.0/24 addressing. The outside LAN is vlan2 and is connected to our corporate network on their 10.0.1.0/24, which also has at least one router and multiple vlans.

The first problem is that we have three computers which are sitting on the corporate network which require access to the protected LAN, two have static IPs on the 10.0.1.0/24 network while the other uses dhcp and has been given an address on 10.0.5.0/24 corporate vlan. This third computer currently accesses the protected LAN via a corporate router (to get to the 10.0.1.0/24 network) and then my 3560 (to get to the 192.168.253.0/24 network).

I've tried placing a MAC access-list inbound on the interface connected to the 10.0.1.0/24 network, which works great for blocking any unwanted corporate machines sitting on said network. However any corporate computer sitting on any other vlan, like 10.0.2.0/24 still has full connectivity.

To add to this mess I've been asked to not bother with our corporate IT with requesting any configs from them or asking for a static IP on the third corporate machine mentioned. (I've stated that I may have to request that they provide a static IP on the 10.0.1.0/24 network for this machine but said I would investigate first.)

THE QUESTIONS:

1. Is it possible to MAC filter computers that access my 3560 through another router?

2. Is it possible to combine MAC and IP access-lists in an AND or an OR fashion in the same direction on the same interface?

3. Does anyone have any suggestions regarding my overall problem as described above?

Thanks,

vbahuse

 

[burtsbees]

Why not permit the three machines by IP address to the protected vlan---the acl can be in the 3560. You can restrict traffic to only those machines by MAC address, either by an acl or by port security on the protected vlan access switchports.

Burt

 

[vbahuse]

Burt,

One of the machines is using dhcp so I can't filter it by IP, so I figured I could use its MAC but that didn't work as that computer uses the corporate router to get to my 3560 and uses the corporate router's MAC to make the request.

I've stumbled across another method that may work for me called Lock and Key ACLs. I still have a bit of investigation to due regarding the commands to do what I need.

This method would also allow any other computer on our corporate network to obtain temporary access for troubleshooting, monitoring, etc. which would come in handy for myself and a few other engineers.

Do you have any experience with lock and key (dynamic) ACLs? Or am I missing the point of your response and there is a simple way of doing this?

vbahuse

 

[vbahuse]

Further to my last post I'm trying to modify the dynamic ACL example at

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml

to permit only the host which supplied the credentials instead of the entire subnet.

The example at the site does this:

username test password 0 test

username test autocommand access-enable host timeout 10

int Ethernet0/0
  ip address 10.1.1.1 255.255.255.0
  ip access-group 101 in

access-list 101 permit tcp any 10.1.1.1 eq telnet

access-list 101 dynamic testlist timeout 15 permit ip 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255

line vty 0 4
login local

It looks to me like this allows anyone on the 10.1.1.0/24 network to access the 172.16.1.0/24 network after the host 10.1.1.2, for instance, telnets to 10.1.1.1 and supplies the username test and password test?

I would like to only allow the specific host which supplied the credentials, i.e. 10.1.1.2 in this example, to have access for upto 15 minutes. Does anyone know if this is possible?

 

[burtsbees]

I see the point of the 3560 using the router's MAC instead of that host...nonetheless, I thought that you had not yet requested, but hinted to corporate, that you may need to request that the dynamic IP becomes a static.
With the above commands, you may need to add "privelege" to the username command, and in the acl...

access-list 101 permit tcp any host 10.1.1.1 eq telnet

note the the keyword "host"

the username command...

username test privelege 15 password 0 test

What I don't understand is why the third host that needs to connect to the switch is not already a static IP---one of the reasons for static IP's is what you are trying to accomplish! But I know---"try telling that to the powers that be". For now, I imagine you can use the dynamic IP for an acl, if the dynamic acl thing does not work. I have no experience with the "lock and key"---the only dynamic acl's I have dealt with are CBAC...
The dynamic IP will likely not change from what it is now, unless a new host connects at the same time the lease on it ends...

Burt

 

[burtsbees]

Or the MAC acl in the router...permitting it only to the 3560, eq telnet...

Burt