Extended 48-bit MAC address access list

Similar Messages

• Mac-address access lists

  I have a single remote device attached to a 1700 sereis router. I need to ensure that if anyone disconnects the device, they can't easily plug anything elses in to the router and hence wanted to use a mac-adddress access list.
  I have created an access list as follows:
  access-list 700 permit xxxx.xxxx.xxxx 0000.0000.0000, but there appears to be no way to add this to the Fa0 interface on the router.
  Can anyone confirm if this is possible on a router or does this only work on a switch?

  No, its the Ethernet local LAN interface of a routed link so no bridging going on.
  Config below:
  interface FastEthernet0
  description Mufulira Post Office Post Office LAN
  ip address xxx.xxx.xxx.xxx 255.255.255.248
  ip access-group 120 in
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  no ip mroute-cache
  speed auto
  full-duplex
  no cdp enable
  IP access lst 120 defines just a single host allowed in to a group of servers.
  I'm having to tie everything down as much as possible as its for a remote ATM on the end of a Wireless backhaul link and our Risk people are trying to insist that we use mac address security as well. I am already running a GRE tunnel and IPSec 3DES over the routed portion of the link.

• Browser corrupting MAC address access-list in 1232 AP

  We're having a problem with an access point when we try to build Mac Address filter tables using the browser inteface. Here is what we have:
  Product/Model Number: AIR-AP1232AG-A-K9
  System Software Filename: c1200-k9w7-tar.123-8.JEA
  System Software Version: 12.3(8)JEA
  Bootloader Version: 12.3(2)JA4
  Something is corrupting browser generated Mac address filter lists and causing us to have to manually remove the lists using the CLI even though the CLI was never used as the list was being entered initially.
  When the browser works, the CLI shows the table as:
  permit 0040.965d.db6b 0000.0000.0000 (3799 matches)
  permit 0016.e3ec.3e06 0000.0000.0000
  permit 00a0.f8ec.9dcd 0000.0000.0000 (7814 matches)
  permit 001c.26c8.3f60 0000.0000.0000
  permit 001a.731e.4f6e 0000.0000.0000
  permit 0040.9652.50ff 0000.0000.0000 (5899 matches)
  permit 0040.9649.08c0 0000.0000.0000 (2010 matches)
  deny 0000.0000.0000 ffff.ffff.ffff
  When the browser doesn't work, it shows up like this in the CLI:
  permit 0016.e3ec.3e06 0000.0000.0000
  permit 00a0.f8ec.9dcd 0000.0000.0000
  permit 001c.26c8.3f60 0000.0000.0000
  permit 001a.731e.4f6e 0000.0000.0000
  permit 0040.9652.50ff 0000.0000.0000 (179 matches)
  permit 0015.7032.7e37 0000.0000.0000
  deny 0000.0000.0000 ffff.ffff.ffff (69 matches)
  permit 0040.9649.08c0 0000.0000.0000
  With the last permit entry that follows the deny being one that we tried to add.
  Is there a way to use the CLI to edit the list so that it can be updated by the browser? Any ideas why the list is getting messed up like this in first place? Do we need to upgrade the AP's software?

  Are you IE. If you have Google toolbar check if you have any Pop-up blocker or Anti-spy in the system blocking this . Try disabling them . If it doesnt work try using Mozilla Firefox.

• MAC address access control

  Why does my airport express/time capsule show more wireless clients than I've authorized via the MAC address access control?

  Sorry, but I have to re-awaken this old thread.
  1. I recently purchased a new iPad.
  2. With a) a hidden SSID, b) a MAC address-based access control list and c) a WPA2 secured network, I am assuming that no new device should be able to access my WiFi network.
  3. When I got home with the new iPad on Friday evening, and started it, it was online without even asking me whether to connect, or what the WPA2 key was.
  I find this strange.
  Additional information:
  4. I also have an iPhone 4S.
  5. I used the personal hotspot feature of the iPhone 4S to connect the WiFi-only iPad to the Internet while on the road.
  6. That personal hotspot feature was still enabled when I got home with the iPhone and the new iPad.
  7. Home network setup:
  7a) Fritz.Box 7270 as DSL modem/router (WiFi disabled)
  7b) Apple Airport Extreme (v 7.6.4) connected via LAN to DSL router, (in bridge mode, create wireless network), Access control on this base station.
  7c) Apple Airport Express (v 7.6.4) connecte to Airport Extreme via WiFi (extend wireless network), Access control not an option on this base station.
  8. Native IPv6 enabled on all devices (and provided by ISP).
  Any suggestion and help is highly appreciated.

• Do I need to add Base Station MAC address to list?

  Hi, If I choose to use MAC address filtering on my Airport Extreme Time Capsule, do I need to add the wireless MAC address of the Base Station to the list of allowed MAC addresses???  I'd feel real bad if I set up a list, didn't include the base station's MAC address and then could never get in to the network again because I, in effect, locked myself out???  I doubt that address needs to be included but I would like some feedback on that.
  Second, does the one MAC address filter list apply to the Guest Network as well if I should choose to turn it on???  If that was the case, I would just turn off MAC address filtering why guests were present.
  thanks..  bob

  If I choose to use MAC address filtering on my Airport Extreme Time Capsule, do I need to add the wireless MAC address of the Base Station to the list of allowed MAC addresses???
  No. Timed Access would be for wireless devices....computers, mobile devices, printer, etc., that are connecting to the Time Capsule. The Time Capsule does not connect to itself in this regard.
  I'd feel real bad if I set up a list, didn't include the base station's MAC address and then could never get in to the network again because I, in effect, locked myself out???
  Sometimes, users lock themselves out by mistake by entering incorrect times for devices to connect, and they often forget that they can connect to the base station using an Ethernet connection and get back in that way.....since Timed Access only applies to devices that connect using wireless.
  does the one MAC address filter list apply to the Guest Network as well if I should choose to turn it on???
  Yes

• WRT610N: Cannot enter MAC address in MAC address filter list

  My WRT610N cannot accept a very specific MAC address in any position of the MAC address filter list.  It is a valid address and it was working fine in the filter list of my WRT54G but the 610N will just not take that specific address!  What is this all about?
  Solved!
  Go to Solution.

  gv wrote:
  There is nothing like a "non-critial setup". It's enough to drive by with a car and within a few minutes your network is hacked. Or it's the bored teenager next door...
  I recommend to replace the WEP only device instead of taking the risk of a hacked network.
  And just forget about the wireless mac address filter. Anyone, who wants to crack your WEP network will collect enough accepted MAC addresses during the cracking process. It's just not worth the trouble to set up the filter and keep the list current...
  Thanks for the diligent follow-up gv but I can't replace the WEP-only device for now.  (I need to go through a conversion process for that device to accept WAP and that will take a fair amount of time)  I understand your point about getting accepted MAC addresses but, at least, it requires a bit more effort... Maybe I will return the WRT610 and stick with my old WRT54 until the 610 gets fixed...

• MAC address access control default?

  I'm still using old graphite ABS, and all of them
  are using MAC address access control.
  Just by accident I connected a PB G4 with an
  internal extreme Airport card.
  The MAC address of this AirPort card wasn't in the
  access list of the ABS.
  It looks like ABS does only limit access through
  MAC addresses for 802.11b cards. I'll spend some time
  to double check this behaviour.
  Did anyone already see this default of access
  control?

  I'm pretty well aware of the limitations of any kind of
  MAC address control: in an hostile environment its a
  "straw house" or an "empty extinguisher".
  But in a collaborative and friendly environment I thought
  it may be a useful "frontier marker" between "friendly" and
  clearly "hostile" behaviors.
  This belief was foolish.

• AP1231 crashes when adding Mac to access list

  I have a AIR-AP1231G-E-K9 it is running c1200-k9w7-mx.123-8.JEC2/c1200-k9w7-mx.123-8.JEC2.
  I am using a Mac Access list to restrict users access to it - however when I add an address now it crashes the AP and has to be rebooted.
  Is there a limit to Mac's is this a software bug?
  thanks

  If the AP is crashing it is a bug. I would open a TAC case to have the crash analyzed to determine if there is fixed code already available.

• WRT160N V3 router ignores MAC address Access Restrictions, Filtering policies

  I have added a list of 2 MAC addresses in the Access Restrictions for the access policy #1 and enabled it with Allow policy.  But one of my PC's MAC address which is not on the list of access policy #1 still can access the internet and ping websites.  I tried to add a Deny policy in 2nd policy for this PC MAC address and then it can not ping websites anymore.
  The problem is why my PC with a MAC address not on the list of Allow Policy #1 can access the internet? It seems the router Access Restrictions don't work well.

  I've already added Deny rule (blocking all LAN IPs) to all computers accessing my network in Access Restrictions Policy #1 but I leave one PC left to access the router web configuration.
  Then in Acess Restrictions Policy #2, I added an Allow rule to one of my PC's MAC addresses (and its IP too) but the PC can not access internet and ping websites. It looks like the allow rule in policy #2 doesn't overwrite the Deny rule in Policy #1.

• Airport Utility and MAC addresses - Leopard

  Hello,
  I recently upgraded to Leopard from Tiger, and cannot stress how much I hate this new Airport Utility. It's like Apple tried to simplify the process so much so that it is bordering on extremely annoying. My biggest problem is the removal of the ability to import/export MAC address access lists (.txt file). Lately, I've had to hard reset my AirPort Extreme and Express (as WDS) base stations a few times due to problems, and let me tell you, re-inputting 14 MAC addresses one by one into each base station can be pretty annoying due to the time it takes...especially when all I had to do before was import it from my documents folder.
  Why was this feature removed...? I just don't get it. It's such a simple thing and makes life so much easier. I was wondering if anyone knows a way around this? Is it possible to use or install the Aiport Admin Utility from Tiger onto Leopard so that can get this feature back?
  Many thanks.

  You can download Airport Admin Utility 4.2.5 from Versiontracker: http://www.versiontracker.com/dyn/moreinfo/macosx/15748
  It's supposed to run under Leopard. My version (4.1.1) runs just fine for me but I stopped using it after Airport Utility came out. I didn't notice they removed the MAC import / export feature until reading your post.
  Edit to add: You might like this one too:
  Airport Management Utility 1.0
  http://www.macupdate.com/info.php/id/14758
  Message was edited by: John Galt

• Is a MAC address filter incompatible on an extended network?

  Hello all,
  I've bought myself an Airport Express and an Airport Extreme.
  The Express serves two roles:
  1. Play music
  2. Extend my network (a real extension, not just a network join)
  On my Extreme, I've setup MAC address filtering with a time-based access (to avoid hacking of my network during the night -- don't worry, I have WPA2 security too...). Here's what I've done:
  - All devices: no access from 11 PM to 7 AM
  - Airport Express: always access
  - Macbook Pro: always access
  So far, so good.
  Now, the problem I see if the following: IF my Express has access anytime, then an unknown device CAN connect to my network at night (midnight for example) simply because it will connect on my Express instead of my Extreme! It's like an unlocked back door!
  So, from what I see, when I extend a network, the MAC filtering is not passed along to the "extending" devices. Also, on an extended network, I CAN'T set a MAC filter... So I'm stuck with an unsecure extending device.
  So, my question is the following: is this normal behavior or is this an oversight from Apple? In other words, how can I extend my network and "propagate" my security setting on all my devices?
  Thanks!
  P.-S. On another topic, but related, any idea how to apply a setting without rebooting the router everytime? This is very annoying.

  HI Yes this works fine. I have these  wifi base stations these configurations on the same subnet in my place *using MAC filtering (access control)* in two extended networks.. Here's how I do it.
  • AEBS 802.11n@5Ghz 9DHCP and WAN.. and MAC ADDRESSES. TimecapsuleTV = SSID="my5Gwifi" , closed network
  • 1 x AEBS 802.11g 2.4Ghz snow coloured dome base station (connected through ethernet to the main 802.11n AEBS) + 2 x 802.11g APx's + 802.11N APX; closed network; name | SSID ="my2.4Gnetwork"; all bridge mode. FOr WDS add all MAC addreses of all devices like iphones, ipods, macs, pea-seas, PS2's etc and the other APX base stations too!.
  Here's the deal:
  for the 802.11N base stations (AEBS . TC or APX gen 2), the extensible wifi stations are through '+extend this network+" in the + Airport Utility+.. There is no provision for the extension stations to addf any ACCESS control if you use BRIDGE MODE> (as I would you to do advise).
  • for the *802.11g or WDS* I have found that you must ADD all the MAC addresses in EACH of the base statsion. This is simple to do my exporting all teh mac address config lists and importing them as you need. THis works fine.
  My company registers world wide all laptop wireless nics. We have over 300,000 employees (3 x 10**5) all dynamically VPN'ed adn mac address filtered for windows , linux and unix. it works for them worldwide. Walk into any office and you are connected.
  As for me and others WEP, WPA2 and all that is a mess around for hours (with that awful redmond based software) with frustrating and a huge waste of time when some one tries to connect to your system with some of those ghastly microsoft opertating systems. They all have their quirks. Vista - well you mostly know.
  In any case the simplest and I beleive effective for most is MAC ADDRESS fitering.
  FWIW all ways can be infiltrated.. you just need to monitr your network or add a GBE hub and use cables where the cables are in a locked oom.
  hth
  w

• Cisco Aironet 1240 AG Access Point - configure Mac Address using Telnet

  Hi there,
  I’ve got a problem hopefully someone can help me with. I have the above mentioned AP and it is configured, working well and providing wireless access to several laptops on our domain.
  The thing is I can’t get access to the web-based interface to add new laptops Mac addresses to the AP as I currently have them secured with local list Mac address authentication but my user name and password when entered in the web browser login dialog box won’t allow me in although strangely it does allow me to login using the same credentials when I telnet into the AP.
  Does anyone know why I can’t get logged in using the web interface even though the user name and password does appear to be correct as I can telnet in? Also if you have any suggestions how I could sort this without having to perform the password recovery procedure, as I don’t want all the config on the AP wiped and want to avoid having the set the whole thing up again.
  As I workaround if anyone knows what the commands are to allow me to add the Mac addresses of the new laptops so they are added to the local list Mac address authentication list so the new laptops are secured that would be great.
  Thanks in anticipation,
  Tony

  Your AP is probably configured to use the enable secret as the password. Try entering nothing for the username, and enter your enable secret for the password ('Cisco' by default).
  If that doesn't work, post your running-config and we'll be able to see why it's doing that. It's a standard configuration, and no worries because wiping the AP won't be necessary since you can successfully Telnet in.
  Jeff

• MAC address and router access control

  My iPhone 3GS can only access the network (through my Netgear KWGR614 wireless router) when the router's MAC address access control is off. When I turn it on the phone is blocked. The MAC address I use is taken from the iPhone settings. It begins with 64. All other MAC addresses I have ever seen begins with 00. Is this MAC address correct? If it is right, could it be that the router can't handle this address?

  The first 3 bytes of the mac address identifies the manufacturer. For example, mine starts with 04:1e:64 which is Apple
  04-1E-64 (hex) Apple, Inc
  041E64 (base 16) Apple, Inc
  1 Infinite Loop
  Cupertino CA 95014
  UNITED STATES
  . if it starts with 64 then it belongs to
  64-4F-74 (hex) LENUS Co., Ltd.
  644F74 (base 16) LENUS Co., Ltd.
  18-5 Gwacheon-Dong
  Gwacheon Gyeonggi-Do 427-060
  KOREA, REPUBLIC OF
  check this list : http://standards.ieee.org/regauth/oui/index.shtml
  enter your first 3 numbers (first 3 pairs) from your wifi (settings/general/about) (don't use colons in the search)
  Not sure about the router as I never tried mac filtering. Each router will behave differently.
  Hope this helps.

• RV220W mac address list

  I apoligize for my incompetence but I have a problem I really need to solve and I am clueless ...
  We have a wifi router RV220W and we need to filter the mac address. The problem is that the number of the "allowed" devices is around 50 (not all connected at the same time), but the maximum number of mac address which can be listed in this router for each VLAN is 20, so for the moment we set 3 VLAN, each one with a different mac adderss list. This is very awkward because the area to be covered by the wifi network is large and we need repeaters, but having 3 VLAN we should put 3 repeaters for each point. Is there any way to configure this router in order to have a single VLAN but with a mac address filter list of 3 x 20 mac address?
  thank you 

  Good morning
  Hi Michela thank you for using our forum,, my name is Johnnatan I am part of the Small business Support community.
  Don't worry about it, we are here to help you, I read your case and you are right, your device support just 20 rules, as you know you can deny everything and just allow specific devices or allow everything and deny specific devices (you can try doing it the other way), however if you want to extend this list, maybe you are thinking in an enterprise device. I apologize for the inconvenience.
  I hope you find this answer useful,
  *Please mark the question as Answered or rate it so other users can benefit from it"
  Greetings,
  Johnnatan Rodriguez Miranda.
  Cisco Network Support Engineer.

• Banning certain MAC addresses

  I need to block all traffic to/from certain MAC addresses from within a certain VLAN on a 6500 running CatOS. Is there a way to do do per-VLAN MAC-based access-lists?

  The IOS command functional equivalent is "mac access-list extended" Here is a snippet from the IOS command reference that covers the highlights:
  Once you enter the mac access-list extended name command, use the following subset to create or
  delete entries in a MAC-access list:
  [no] {permit | deny} {{src-mac mask | any} {dest-mac mask} | any} [protocol [vlan vlan]
  [cos value]]}
  Reference "Catalyst 6500 Series Cisco IOS Command Reference, 12.2SX" (http://www.cisco.com/en/US/partner/products/hw/switches/ps708/products_command_reference_book09186a0080160cd0.html) page 2-357.