Mac access-list enable on catalyst 2924xl ??
Does the command mac access-list run on a catalyst switch 2924 runing 2900xl ver 12.0(5)WC12 ios version
thanks
Hi,
2900/3500 xl's does not support ACL's.
regards,
-amit singh
Similar Messages
-
WS-C3524-XL-EN , mac access-list , ssh ..
does this switch CATALYST 3500 24 PORT 10/100 SWITCH WITH 2 GBIC SLOTS, ENTERPRISE EDITION with last IOS running on, support SSH , and mac access-list to secure the port with mac
thanksThere is IOS software for the 3550 that supports ssh. You have to have cco login with priviledges - There is a "strong cryptographic (3DES) location on CCO for that software. Go to downloads for 3550 and look for the link.
-
Ok we have a mac-access list that is set and we want it only set on a specific ssid but it does not seem to be working that way and is hitting both ssid's. The issue appears to be with this line as it is not defined to the ssid nor any interface for that ssid:
dot11 association mac-list 701
I just can't figure out where to move it and how. Any help would be great.
Here is my config:
BER-AP18#show running-config
Building configuration...
Current configuration : 11695 bytes
! Last configuration change at 11:04:00 EDT Wed Jun 6 2012 by WirelessAdmin
! NVRAM config last updated at 11:04:00 EDT Wed Jun 6 2012 by WirelessAdmin
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname BER-AP18
enable secret 5 SECRET
clock timezone EST -5
clock summer-time EDT recurring
ip subnet-zero
ip domain name domain.com
ip name-server 10.0.36.73
ip name-server 10.0.36.38
aaa new-model
aaa group server radius rad_eap
aaa group server radius rad_mac
aaa group server radius rad_acct
aaa group server radius rad_admin
aaa group server tacacs+ tac_admin
aaa group server radius rad_pmip
aaa group server radius dummy
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
dot11 association mac-list 701
dot11 vlan-name Wireless vlan 22
dot11 ssid SWLAN
vlan 36
authentication open mac-address mac_methods
dot11 ssid WSLAN
vlan 22
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 7 SECRET
crypto pki trustpoint TP-self-signed-689020510
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-689020510
revocation-check none
rsakeypair TP-self-signed-689020510
username WirelessAdmin privilege 15 password 7 SECRET
username 00166f44ec4f password 7 075F711D185F1F514317085802
username 00166f44ec4f autocommand exit
username 00166f46e83c password 7 15425B5D527C2D707E366D7110
username 00166f46e83c autocommand exit
username 00166f6bc2be password 7 091C1E584F531144090F56282E
username 00166f6bc2be autocommand exit
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
encryption key 1 size 128bit 7 SECRET transmit-key
encryption mode wep mandatory
encryption vlan 2 mode ciphers tkip
encryption vlan 36 key 1 size 128bit 7 SECRET transmit-key
encryption vlan 36 mode wep mandatory
encryption vlan 22 mode ciphers tkip
broadcast-key change 30
ssid SWLAN
ssid WSLAN
speed basic-1.0 basic-2.0 basic-5.5 basic-11.0
power local 1
no power client local
power client 100
channel 2427
station-role root
rts threshold 2312
l2-filter bridge-group-acl
bridge-group 1
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface Dot11Radio0.22
encapsulation dot1Q 22
no ip route-cache
bridge-group 22
bridge-group 22 subscriber-loop-control
bridge-group 22 block-unknown-source
no bridge-group 22 source-learning
no bridge-group 22 unicast-flooding
bridge-group 22 spanning-disabled
interface Dot11Radio0.36
encapsulation dot1Q 36
no ip route-cache
bridge-group 36
bridge-group 36 subscriber-loop-control
bridge-group 36 block-unknown-source
no bridge-group 36 source-learning
no bridge-group 36 unicast-flooding
bridge-group 36 spanning-disabled
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
l2-filter bridge-group-acl
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
hold-queue 160 in
interface FastEthernet0.22
encapsulation dot1Q 22
no ip route-cache
bridge-group 22
no bridge-group 22 source-learning
bridge-group 22 spanning-disabled
interface FastEthernet0.36
encapsulation dot1Q 36
no ip route-cache
bridge-group 36
no bridge-group 36 source-learning
bridge-group 36 spanning-disabled
interface BVI1
ip address 10.0.0.18 255.255.255.0
no ip route-cache
interface BVI22
no ip address
no ip route-cache
ip default-gateway 10.0.0.1
no ip http server
ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
access-list 111 permit tcp any any neq telnet
access-list 701 permit 0016.6f38.5a75 0000.0000.0000
access-list 701 permit 0016.6f47.2f5a 0000.0000.0000
access-list 701 permit 0016.6f72.8730 0000.0000.0000
access-list 701 permit 0016.6f6b.c156 0000.0000.0000
access-list 701 deny 0000.0000.0000 ffff.ffff.ffff
radius-server attribute 32 include-in-access-req format %h
radius-server vsa send accounting
control-plane
bridge 1 route ip
line con 0
access-class 111 in
line vty 0 4
access-class 111 in
line vty 5 15
access-class 111 in
sntp server 10.0.36.38
endthat looks good. I always get input vs output backwards. If it doesn't block the correct traffic, reverse the direction.
HTH,
Steve
Please remember to rate useful posts, and mark questions as answered -
MAC access-list on switching platforms
Please advise if I am in the worng group, and I'll move the post.
I like implement security measures on some 3750 switches. I am looking at the configuration example of blocking ARP packets based on MAC access-lists, and wonder about the exact functionality. Does this mean that an unauthorized device will not be able to send out *any* packets? I don't want to go into too much detail about my concern. I would certainly appreciate your advice.
Here is the link I am looking at:
http://www.cisco.com/en/US/products/hw/switches/ps646/products_configuration_example09186a0080470c39.shtmlMac based ACL can be configured on the router. You will need to use an access-list which ranges from 700-799:
A sample statement would be access-list 700 permit <48-bit hardware SOURCE address> <48-bit hardware
DESTINATION address>. Apply it to a vlan interface after making VLAN interface as a layer2 interface. -
MAC access-list to deny appletalk
can I use mac access-list to deny appletalk frame only,not efect other frame on cat3560?
Hi,
I'm afraid this is not possible on the 3560. The config guide mentions: "Though visible in the command-line help strings, appletalk is not supported as a matching condition"
cfr. http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_55_se/command/reference/cli1.html#wp11893267
As far as I can tell, this is a hardware limitation so no 'fix' is to be expected in software.
Having said that, you might be able to achieve almost the same by blocking AARP (the Appletalk Address Resolution Protocol), with something like this:
mac access-list extended DenyAppletalk
deny any any aarp
permit any any
And then apply that ACL to each interface:
#(config-if) mac access-group DenyAppletalk in
So you will not be blocking actual Appletalk but you will prevent hosts from learning about each other in the first place, i.e. initially they may still have some cached info but after some time (and certainly after a reboot) the hosts will see no longer see any other appletalk hosts on the network.
I've never tried this or seen this work myself but you may want to give it a go and let us know?
Herbert -
VLAN's, subinterface, access-lists and 3560 catalyst switch?
Hi,
How can I isolate VLAN 121 from all others?
I have a cisco 2811 router connected to a 3560 catalyst switch which has 5 VLAN's of which I need to protect IP traffic of 4 from 1.
The following VLANs configured on the switch:
VLAN 0 192.168.132.0 /24
VLAN 135 ..135.0 /24
VLAN 137 ..137.0 /24
VLAN 139 ..139.0.24 and lastly,
VLAN 121 192.168.121.0 /24 which I wish to isolate all IP from VLAN 0, 135, 137, and 139 but have internet out the 2811's other interface. Currently all VLAN's and routing are working perfectly.
I need some advice please. Here is my plan: to split the FA0/0 into FA0/0.1 for VLAN 121 using dot1q and apply an access-list to deny 192.168.121.0 to the FA0/0 interface. Since I'm essentially creating VLAN's with the router can or will that interfere with the Switch VLAN configuration? router on a stick vs. a Layer 4 Cisco 3560 Catalyst switch?
Thank you!I will have to assume VLAN 0 is the native VLAN / default interface on the router? All VLANs are numbered native or not. Just ensure the VLAN numbering matches between the router and the trunking on the switch.
Yes, you could create a sub interface on the 2811 and use the router to route the VLAN. Apply an access list on the other interfaces to block access to the VLAN you want to protect. If you have routing enabled on the 3560 as well you would complicate the situation a bit more.
Please rate helpful posts! :-) -
Hi,
I have a mac acl on a cisco aironet 1260;
access-list 700 permit 000b.6baf.780c 0000.0000.0000
access-list 700 permit 000b.6baf.6cfd 0000.0000.0000
access-list 700 permit 000b.6baf.7225 0000.0000.0000
access-list 700 permit 000b.6bb2.f090 0000.0000.0000
access-list 700 permit 000b.6bb2.f088 0000.0000.0000
access-list 700 permit 000b.6bb2.f089 0000.0000.0000
access-list 700 permit 000b.6baf.756d 0000.0000.0000
access-list 700 permit 000b.6baf.7872 0000.0000.0000
access-list 700 permit 000b.6baf.6d04 0000.0000.0000
Is working very good, but to administrative audit I need to get mac addresses that the dot11 interface has rejected or mac-add has attempted to connect to AP, how can I log that info?
REGARDSHi,
Not fully sure. but the logs of the AP should mention that at some logging level. If you direct your logs to a syslog server and try with unauthorized user to connect you will see how the message looks like and you can then filter on that.
HTH
Amjad
Rating useful replies is more useful than saying "Thank you" -
Airport extreme freezes when updating MAC access list on WiFi. What can I do ?
Trying to add a new PC on the WiFi network, the control is via MAC addresses. I can enter the new MAC address, and description, but airport freezes when I try to update. The only way I can get back is unplug / replug airport, but then it is not updated with the new address.
Macpro on 10.7
Airport extreme 802.11n 1st gen (7.5.2 with airport utility 5.5.3)
ThanksIf you have not already done so, try temporarily connecting an Ethernet cable from your Mac to one of the LAN <-> ports on the AirPort Extreme. Then open AirPort Utility, make the changes you need and see if the AirPort Extreme will Update correctly. If it does, you can disconnect the Ethernet cable.
If still no luck, your next option is to perform a Factory Default Reset on the AirPort Exreme to clear out all the current settings and then reconfigure the device again. -
AP1231 crashes when adding Mac to access list
I have a AIR-AP1231G-E-K9 it is running c1200-k9w7-mx.123-8.JEC2/c1200-k9w7-mx.123-8.JEC2.
I am using a Mac Access list to restrict users access to it - however when I add an address now it crashes the AP and has to be rebooted.
Is there a limit to Mac's is this a software bug?
thanksIf the AP is crashing it is a bug. I would open a TAC case to have the crash analyzed to determine if there is fixed code already available.
-
Extended 48-bit MAC address access list
How can I apply extended 48-bit MAC address access list on Cisco 7606?
You can use the following example for the MAC address based access list :
mac access-list extended CAPTURE 10
permit any any
vlan access-map IDS 10
match mac address CAPTURE
action forward capture
vlan filter IDS vlan-list 115,119
interface FastEthernet 3/48
switchport
switchport capture -
Hi!
I have Linksys SPS224G4.
I'm trying to create mac access-list and bing to interface by using SNMP.
Please advise me in what MIB can I find OID's to operate such functions?These OID's lie in qosclimib.mib
-
SFE2000 IP Access List is locking up the switch
Hi, i'm using brand new 1 X SFE2000, 1 X RV082 as router and 2 X WAP2000 with linksys power injectors in my network. I would like to have 3 VLANs. first one would be a management vlan, second an admin vlan and the last one a customer vlan. management would be used for computer tech to manage the equipment. the admin Vlan would be used for all the employees, the AD win2k8 server will be on this vlan too. the customer vlan would be used only to get to the internet. VLan 1 would speak to 2 and 3, but 2 and 3 would not speak to each other. I will relay the AD DHCP server on the 3 vlan. The switch is on layer 3 protocol.
Here is my problem, as soon as i activate the IP access list, the switch is locking up and the only way i can get it to work is to go back to a previous saved config without IP access list activated. i'm activating IP access list with all access to any vlan...and still the same problem... MAC access list is working perfectly.
i'm having the latest firmware...
any advice would be welcome !
thanks alot !I did not change my native/management VLAN. This is not supported. My default gateway is 192.168.11.253. My VLAN 1 is 192.168.11.0/24, VLAN 2 is 192.168.12.254, VLAN 3 is 192.168.3.254. Configured interfaces are e2-5. Do NOT attempt to use ANY/protocol type 255 on the interface. ACL/ACEs are as follows:
permit ip 192.168.3.0 0.0.0.255 192.168.11.253 0.0.0.0
permit ip 192.168.11.0 0.0.0.255 any
permit ip 192.168.2.0 0.0.0.255 192.168.11.0 0.0.0.255
Or the whole config (default login. also attached)
interface range ethernet e(2-4) switchport mode access exit vlan database vlan 1-3 exit interface ethernet e2 switchport access vlan 1 exit interface ethernet e5 switchport trunk native vlan 1 exit interface ethernet e3 switchport access vlan 2 exit interface ethernet e5 switchport trunk allowed vlan add 2 exit interface ethernet e4 switchport access vlan 3 exit interface ethernet e5 switchport trunk allowed vlan add 3 exit interface vlan 1 ip address 192.168.11.254 255.255.255.0 exit interface vlan 2 ip address 192.168.12.254 255.255.255.0 exit interface vlan 3 ip address 192.168.3.254 255.255.255.0 exit interface vlan 100 ip address 192.168.1.254 255.255.255.0 exit ip route 0.0.0.0 0.0.0.0 192.168.11.253 ip access-list ACL1 permit ip 192.168.3.0 0.0.0.255 192.168.11.253 0.0.0.0 permit ip 192.168.11.0 0.0.0.255 any permit ip 192.168.2.0 0.0.0.255 192.168.11.0 0.0.0.255 exit interface ethernet e2 service-acl input ACL1 exit interface ethernet e3 service-acl input ACL1 exit interface ethernet e4 service-acl input ACL1 exit interface ethernet e5 service-acl input ACL1 exit username L1_admin password dcdf2920272f76e823f0633b329881df level 15 encrypted username admin password d41d8cd98f00b204e9800998ecf8427e level 15 encrypted -
I have a single remote device attached to a 1700 sereis router. I need to ensure that if anyone disconnects the device, they can't easily plug anything elses in to the router and hence wanted to use a mac-adddress access list.
I have created an access list as follows:
access-list 700 permit xxxx.xxxx.xxxx 0000.0000.0000, but there appears to be no way to add this to the Fa0 interface on the router.
Can anyone confirm if this is possible on a router or does this only work on a switch?No, its the Ethernet local LAN interface of a routed link so no bridging going on.
Config below:
interface FastEthernet0
description Mufulira Post Office Post Office LAN
ip address xxx.xxx.xxx.xxx 255.255.255.248
ip access-group 120 in
no ip redirects
no ip unreachables
no ip proxy-arp
no ip mroute-cache
speed auto
full-duplex
no cdp enable
IP access lst 120 defines just a single host allowed in to a group of servers.
I'm having to tie everything down as much as possible as its for a remote ATM on the end of a Wireless backhaul link and our Risk people are trying to insist that we use mac address security as well. I am already running a GRE tunnel and IPSec 3DES over the routed portion of the link. -
MAC-Adress Filtering vs. Access - Lists
We are using two WLC 4400 Series Controller for our Guest WLAN. They are installed the way Cisco Recommends . One in our LAN and one in the DMZ.
I am looking for a possibility to deny company users the access to this WLAN with their notebooks. The WLAN has direkt internet access and we don't want our notebooks to be compromised...
With MAC-Adress Filterring I can only permit access to a specific Wlan or is there a way to negogiate such a filter to use it for a denial?
Is there a possibility to use access lists for the denial of specific Mac-Adresses to a specific WLAN ?
Anyone an other good Idea how to solve this issue?Well... MAC-address filter would work, but if you have alot to input, it can be a headache. ACL's I don't think will work, because users will get an ip from the guest network and then how can you know who has what address. Create a username password webauth page. The credentials can be changed each day or week depending.... and give this out to guest users to access the guest network. Now internal user can't access this unless the username password slips out. If you really want to make it tough, use GPO and push out the wireless policy and lock out the feature to add a wireless network.
-
Where is the Enable RESTful Access List?
Hello,
I am trying to expose a report in my application as a RESTful web service. I am following this guide here: http://docs.oracle.com/cd/E23903_01/doc/doc.41/e21674/advnc_web_services.htm#CHDDBGAI
The instructions are:
On the Workspace home page, click Application Builder.
Select an application.
Application Builder appears.
Select the page that contains the report you want to enable.
The Page Definition appears.
Under Regions, click the name of the region that contains the report you want to enable.
Under Attributes, enter a value for Static ID field. This value is used to access the report RESTfully.
From the Enable RESTful Access List, select Yes.
Click Apply Changes.
I am not sure where I can get this "Enable RESTful Access List", it is not in my region attributes or in my page attributes. Could someone kindly point out where I can get it?
I am using APEX 4.2
Cheers.Hi William,
That's great you're up and running now. So now you've managed to expose your Report region as a RESTful Service. I think you might find it useful to read through the section Understanding Web Service References in the same chapter - http://docs.oracle.com/cd/E23903_01/doc/doc.41/e21674/advnc_web_services.htm#BABDCIBH - as it explains the various references that can be created. In your case, your Web Service reference is based on the RESTful style, and not on a Web Services Description Language (WSDL) document. If you read through the section Accessing a RESTful Enabled Report Region from a Web Service Client - http://docs.oracle.com/cd/E23903_01/doc/doc.41/e21674/advnc_web_services.htm#CHDEHFJI - the apex_rest service API can be used to discover available RESTful enabled reports for a given application. Its response is an XML document with a description of all reports that can be accessed by RESTful Web services.
I hope this helps.
Regards,
Hilary
Maybe you are looking for
-
Hi can anybody help please. I am having terrible problems trying to use my Nikon D7100 to tether. I have downloaded the latest Lightroom updates and also checked my firmware which is also the latest avaiable and still Lightroom wont detect my camera!
-
Why there is no Sender Agreement is required for HTTP and IDOC Adapter. Note : I know that both of the Above adapters are in ABAP Stack, so they are directly connected to the Pipeline, so there is no need of a Sender Agreement. What I am trying to un
-
IOS 8 update failed and set my phone into Resore Mode
Anyone else tried updating to the IOS 8 resulting in the same issue?. I tried updating it through the phone but due to the amount of space required (4.8GB) I couldn't as my phone was filled with vital information. I found out you can update it throu
-
Urgent help, Tree Viewer JSP
Has anyone gotten the tree viewer bean to work on a JSP? If so, please give tips on it, or an example of table would be appreciated. I keep getting an error message that my row-set browser is not self-refferencial. Thanks
-
Solaris 10: T1000/2000 combination, how many using it?
Hi, Just wanted to know - how many of them are using T1000/2000 and Solaris 10? -For which applications and kind of application loads? - Don't they feel that because T1000/2000 only support Solaris 10, its a bottle-neck for them?