MAC access-list on switching platforms

Similar Messages

• WS-C3524-XL-EN , mac access-list , ssh ..

  does this switch CATALYST 3500 24 PORT 10/100 SWITCH WITH 2 GBIC SLOTS, ENTERPRISE EDITION with last IOS running on, support SSH , and mac access-list to secure the port with mac
  thanks

  There is IOS software for the 3550 that supports ssh. You have to have cco login with priviledges - There is a "strong cryptographic (3DES) location on CCO for that software. Go to downloads for 3550 and look for the link.

• MAC access-list to deny appletalk

  can I use mac access-list to deny appletalk frame only,not efect other frame on cat3560?

  Hi,
  I'm afraid this is not possible on the 3560. The config guide mentions: "Though visible in the command-line help strings, appletalk is not supported as a matching condition"
  cfr. http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_55_se/command/reference/cli1.html#wp11893267
  As far as I can tell, this is a hardware limitation so no 'fix' is to be expected in software.
  Having said that, you might be able to achieve almost the same by blocking AARP (the Appletalk Address Resolution Protocol), with something like this:
  mac access-list extended DenyAppletalk
  deny   any any aarp
  permit any any
  And then apply that ACL to each interface:
  #(config-if) mac access-group DenyAppletalk in
  So you will not be blocking actual Appletalk but you will prevent hosts from learning about each other in the first place, i.e. initially they may still have some cached info but after some time (and certainly after a reboot) the hosts will see no longer see any other appletalk hosts on the network.
  I've never tried this or seen this work myself but you may want to give it a go and let us know?
  Herbert

• Mac access-list enable on catalyst 2924xl ??

  Does the command mac access-list run on a catalyst switch 2924 runing 2900xl ver 12.0(5)WC12 ios version
  thanks

  Hi,
  2900/3500 xl's does not support ACL's.
  regards,
  -amit singh

• Move a mac access-list

                     Ok we have a mac-access list that is set and we want it only set on a specific ssid but it does not seem to be working that way and is hitting both ssid's.  The issue appears to be with this line as it is not defined to the ssid nor any interface for that ssid:
  dot11 association mac-list 701
  I just can't figure out where to move it and how.  Any help would be great.
  Here is my config:
  BER-AP18#show running-config
  Building configuration...
  Current configuration : 11695 bytes
  ! Last configuration change at 11:04:00 EDT Wed Jun 6 2012 by WirelessAdmin
  ! NVRAM config last updated at 11:04:00 EDT Wed Jun 6 2012 by WirelessAdmin
  version 12.3
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname BER-AP18
  enable secret 5 SECRET
  clock timezone EST -5
  clock summer-time EDT recurring
  ip subnet-zero
  ip domain name domain.com
  ip name-server 10.0.36.73
  ip name-server 10.0.36.38
  aaa new-model
  aaa group server radius rad_eap
  aaa group server radius rad_mac
  aaa group server radius rad_acct
  aaa group server radius rad_admin
  aaa group server tacacs+ tac_admin
  aaa group server radius rad_pmip
  aaa group server radius dummy
  aaa authentication login eap_methods group rad_eap
  aaa authentication login mac_methods local
  aaa authorization exec default local
  aaa accounting network acct_methods start-stop group rad_acct
  aaa session-id common
  dot11 association mac-list 701
  dot11 vlan-name Wireless vlan 22
  dot11 ssid SWLAN
     vlan 36
     authentication open mac-address mac_methods
  dot11 ssid WSLAN
     vlan 22
     authentication open
     authentication key-management wpa
     guest-mode
     wpa-psk ascii 7 SECRET
  crypto pki trustpoint TP-self-signed-689020510
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-689020510
  revocation-check none
  rsakeypair TP-self-signed-689020510
  username WirelessAdmin privilege 15 password 7 SECRET
  username 00166f44ec4f password 7 075F711D185F1F514317085802
  username 00166f44ec4f autocommand exit
  username 00166f46e83c password 7 15425B5D527C2D707E366D7110
  username 00166f46e83c autocommand exit
  username 00166f6bc2be password 7 091C1E584F531144090F56282E
  username 00166f6bc2be autocommand exit
  bridge irb
  interface Dot11Radio0
  no ip address
  no ip route-cache
  encryption key 1 size 128bit 7 SECRET transmit-key
  encryption mode wep mandatory
  encryption vlan 2 mode ciphers tkip
  encryption vlan 36 key 1 size 128bit 7 SECRET transmit-key
  encryption vlan 36 mode wep mandatory
  encryption vlan 22 mode ciphers tkip
  broadcast-key change 30
  ssid SWLAN
  ssid WSLAN
  speed basic-1.0 basic-2.0 basic-5.5 basic-11.0
  power local 1
  no power client local
  power client 100
  channel 2427
  station-role root
  rts threshold 2312
  l2-filter bridge-group-acl
  bridge-group 1
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  bridge-group 1 spanning-disabled
  interface Dot11Radio0.22
  encapsulation dot1Q 22
  no ip route-cache
  bridge-group 22
  bridge-group 22 subscriber-loop-control
  bridge-group 22 block-unknown-source
  no bridge-group 22 source-learning
  no bridge-group 22 unicast-flooding
  bridge-group 22 spanning-disabled
  interface Dot11Radio0.36
  encapsulation dot1Q 36
  no ip route-cache
  bridge-group 36
  bridge-group 36 subscriber-loop-control
  bridge-group 36 block-unknown-source
  no bridge-group 36 source-learning
  no bridge-group 36 unicast-flooding
  bridge-group 36 spanning-disabled
  interface FastEthernet0
  no ip address
  no ip route-cache
  duplex auto
  speed auto
  l2-filter bridge-group-acl
  bridge-group 1
  no bridge-group 1 source-learning
  bridge-group 1 spanning-disabled
  hold-queue 160 in
  interface FastEthernet0.22
  encapsulation dot1Q 22
  no ip route-cache
  bridge-group 22
  no bridge-group 22 source-learning
  bridge-group 22 spanning-disabled
  interface FastEthernet0.36
  encapsulation dot1Q 36
  no ip route-cache
  bridge-group 36
  no bridge-group 36 source-learning
  bridge-group 36 spanning-disabled
  interface BVI1
  ip address 10.0.0.18 255.255.255.0
  no ip route-cache
  interface BVI22
  no ip address
  no ip route-cache
  ip default-gateway 10.0.0.1
  no ip http server
  ip http secure-server
  ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
  ip radius source-interface BVI1
  access-list 111 permit tcp any any neq telnet
  access-list 701 permit 0016.6f38.5a75   0000.0000.0000
  access-list 701 permit 0016.6f47.2f5a   0000.0000.0000
  access-list 701 permit 0016.6f72.8730   0000.0000.0000
  access-list 701 permit 0016.6f6b.c156   0000.0000.0000
  access-list 701 deny   0000.0000.0000   ffff.ffff.ffff
  radius-server attribute 32 include-in-access-req format %h
  radius-server vsa send accounting
  control-plane
  bridge 1 route ip
  line con 0
  access-class 111 in
  line vty 0 4
  access-class 111 in
  line vty 5 15
  access-class 111 in
  sntp server 10.0.36.38
  end

  that looks good.  I always get input vs output backwards.  If it doesn't block the correct traffic, reverse the direction.
  HTH,
  Steve
  Please remember to rate useful posts, and mark questions as answered

• Mac access-list

  Hi,
  I have a mac acl on a cisco aironet 1260;
  access-list 700 permit 000b.6baf.780c   0000.0000.0000
  access-list 700 permit 000b.6baf.6cfd   0000.0000.0000
  access-list 700 permit 000b.6baf.7225   0000.0000.0000
  access-list 700 permit 000b.6bb2.f090   0000.0000.0000
  access-list 700 permit 000b.6bb2.f088   0000.0000.0000
  access-list 700 permit 000b.6bb2.f089   0000.0000.0000
  access-list 700 permit 000b.6baf.756d   0000.0000.0000
  access-list 700 permit 000b.6baf.7872   0000.0000.0000
  access-list 700 permit 000b.6baf.6d04   0000.0000.0000
  Is working very good, but to administrative audit I need to get mac addresses that the dot11 interface has rejected or mac-add has attempted to connect to AP, how can I log that info?
  REGARDS

  Hi,
  Not fully sure. but the logs of the AP should mention that at some logging level. If you direct your logs to a syslog server and try with unauthorized user to connect you will see how the message looks like and you can then filter on that.
  HTH
  Amjad
  Rating useful replies is more useful than saying "Thank you"

• Airport extreme freezes when updating MAC access list on WiFi. What can I do ?

  Trying to add a new PC on the WiFi network, the control is via MAC addresses. I can enter the new MAC address, and description, but airport freezes when I try to update. The only way I can get back is unplug / replug airport, but then it is not updated with the new address.
  Macpro on 10.7
  Airport extreme 802.11n 1st gen (7.5.2 with airport utility 5.5.3)
  Thanks

  If you have not already done so, try temporarily connecting an Ethernet cable from your Mac to one of the LAN <-> ports on the AirPort Extreme. Then open AirPort Utility, make the changes you need and see if the AirPort Extreme will Update correctly. If it does, you can disconnect the Ethernet cable.
  If still no luck, your next option is to perform a Factory Default Reset on the AirPort Exreme to clear out all the current settings and then reconfigure the device again.

• SFE2000 IP Access List is locking up the switch

  Hi, i'm using brand new 1 X SFE2000, 1 X RV082 as router and 2 X  WAP2000 with linksys power injectors in my network. I would like to have 3 VLANs. first one would be a management vlan, second an admin vlan and the last one a customer vlan. management would be used for computer tech to manage the equipment. the admin Vlan would be used for all the employees, the AD win2k8 server will be on this vlan too. the customer vlan would be used only to get to the internet. VLan 1 would speak to 2 and 3, but 2 and 3 would not speak to each other. I will relay the AD DHCP server on the 3 vlan. The switch is on layer 3 protocol.
  Here is my problem, as soon as i activate the IP access list, the switch is locking up and the only way i can get it to work is to go back to a previous saved config without IP access list activated. i'm activating IP access list with all access to any vlan...and still the same problem... MAC access list is working perfectly.
  i'm having the latest firmware...
  any advice would be welcome !
  thanks alot !

  I did not change my native/management VLAN. This is not supported. My default gateway is 192.168.11.253. My VLAN 1 is 192.168.11.0/24, VLAN 2 is 192.168.12.254, VLAN 3 is 192.168.3.254. Configured interfaces are e2-5. Do NOT attempt to use ANY/protocol type 255 on the interface. ACL/ACEs are as follows:
  permit ip 192.168.3.0 0.0.0.255 192.168.11.253 0.0.0.0
  permit ip 192.168.11.0 0.0.0.255 any
  permit ip 192.168.2.0 0.0.0.255 192.168.11.0 0.0.0.255
  Or the whole config (default login. also attached)
  interface range ethernet e(2-4) switchport mode access exit vlan database vlan 1-3 exit interface ethernet e2 switchport access vlan 1 exit interface ethernet e5 switchport trunk native vlan 1 exit interface ethernet e3 switchport access vlan 2 exit interface ethernet e5 switchport trunk allowed vlan add 2 exit interface ethernet e4 switchport access vlan 3 exit interface ethernet e5 switchport trunk allowed vlan add 3 exit interface vlan 1 ip address 192.168.11.254 255.255.255.0 exit interface vlan 2 ip address 192.168.12.254 255.255.255.0 exit interface vlan 3 ip address 192.168.3.254 255.255.255.0 exit interface vlan 100 ip address 192.168.1.254 255.255.255.0 exit ip route 0.0.0.0 0.0.0.0 192.168.11.253 ip access-list ACL1 permit ip 192.168.3.0 0.0.0.255 192.168.11.253 0.0.0.0 permit ip 192.168.11.0 0.0.0.255 any permit ip 192.168.2.0 0.0.0.255 192.168.11.0 0.0.0.255 exit interface ethernet e2 service-acl input ACL1 exit interface ethernet e3 service-acl input ACL1 exit interface ethernet e4 service-acl input ACL1 exit interface ethernet e5 service-acl input ACL1 exit username L1_admin password dcdf2920272f76e823f0633b329881df level 15 encrypted username admin password d41d8cd98f00b204e9800998ecf8427e level 15 encrypted

• AP1231 crashes when adding Mac to access list

  I have a AIR-AP1231G-E-K9 it is running c1200-k9w7-mx.123-8.JEC2/c1200-k9w7-mx.123-8.JEC2.
  I am using a Mac Access list to restrict users access to it - however when I add an address now it crashes the AP and has to be rebooted.
  Is there a limit to Mac's is this a software bug?
  thanks

  If the AP is crashing it is a bug. I would open a TAC case to have the crash analyzed to determine if there is fixed code already available.

• Extended 48-bit MAC address access list

  How can I apply extended 48-bit MAC address access list on Cisco 7606?

  You can use the following example for the MAC address based access list :
  mac access-list extended CAPTURE 10
  permit any any
  vlan access-map IDS 10
  match mac address CAPTURE
  action forward capture
  vlan filter IDS vlan-list 115,119
  interface FastEthernet 3/48
  switchport
  switchport capture

• Stopping MAC addresses on 3560 switch interfaces

  Hi,
  I would like to stop certain MAC addresses connecting to the network via a 3560 switch and have configured the config below for VLAN 1. All interfaces belong to VLAN 1. Can anyone tell me if this is the correct config or have I missed something?
  mac access-list extended Bad_Hosts
  permit host 0011.434c.d9bf any 0x806 0x0
  permit host 0011.434a.8026 any 0x806 0x0
  permit host 000b.5d2a.23e3 any 0x806 0x0
  permit host 000b.5d0e.4019 any 0x806 0x0
  vlan access-map MAC 10
  action drop
  match mac address Bad_Hosts
  vlan access-map MAC 20
  action forward
  vlan filter MAC vlan-list 1
  Regards
  Mark
  Network Specialist

  It look like, all the host 'll be reject.
  Try:
  mac access-list extended Bad_Hosts
  deny host 0011.434c.d9bf any 0x806 0x0
  deny host 0011.434a.8026 any 0x806 0x0
  deny host 000b.5d2a.23e3 any 0x806 0x0
  deny host 000b.5d0e.4019 any 0x806 0x0
  permit any any
  vlan access-map MAC 10
  match mac address Bad_Hosts
  action forward
  vlan access-map MAC 20
  action drop
  vlan filter MAC vlan-list 1
  Please, hope this help and rate this post.

• Access-list through SNMP

  Hi!
  I have Linksys SPS224G4.
  I'm trying to create mac access-list and bing to interface by using SNMP.
  Please advise me in what MIB can I find OID's to operate such functions?

  These OID's lie in qosclimib.mib

• I want to switch platforms with Cs6 Master Suite from Mac To PC. Who can help and explain how to get by the rope a dope perpetual circle of support

  I am trying to switch platforms from Mac to PC. I cannot get into support where this is done. Phone calls are a joke, a promise to call back in 12 or 45 minutes never happens. What you need support for seems to not exist. Can someone tell me how to get this done without getting into the rope a dope, perpetual, never ending  circle of nothing.
  EZ

  Ezez1 I am sorry you are facing difficulties with the platform swap process.  Have you been able to complete the steps listed in Order product | Platform, language swap

• Mac-address access lists

  I have a single remote device attached to a 1700 sereis router. I need to ensure that if anyone disconnects the device, they can't easily plug anything elses in to the router and hence wanted to use a mac-adddress access list.
  I have created an access list as follows:
  access-list 700 permit xxxx.xxxx.xxxx 0000.0000.0000, but there appears to be no way to add this to the Fa0 interface on the router.
  Can anyone confirm if this is possible on a router or does this only work on a switch?

  No, its the Ethernet local LAN interface of a routed link so no bridging going on.
  Config below:
  interface FastEthernet0
  description Mufulira Post Office Post Office LAN
  ip address xxx.xxx.xxx.xxx 255.255.255.248
  ip access-group 120 in
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  no ip mroute-cache
  speed auto
  full-duplex
  no cdp enable
  IP access lst 120 defines just a single host allowed in to a group of servers.
  I'm having to tie everything down as much as possible as its for a remote ATM on the end of a Wireless backhaul link and our Risk people are trying to insist that we use mac address security as well. I am already running a GRE tunnel and IPSec 3DES over the routed portion of the link.

• How to create a Access list on core switch to bloxk all Internet Traffic & allow some specific Internet Traffic

  Hellp Everyone,
  I am trying to create a Access-List on my Core Switch, in which I want to allow few internet website & block the rest of them.
  I want to allow the whole Intranet but few intranet websites also needs access to the internet.
  Can we create such Access-List with the above requirement.
  I tried to create the ACL on the switch but it blocks the whole internet access.
  i want to do it for a subnet not for a specific IP.
  Can someone help me in creating such access list.
  Thanks in Advance

  The exact syntax depends on your subnets and how they connect to the Internet. If you can share a simple diagram that would be much more informative.
  In general just remember that access-lists are parsed from the top down and as soon as a match is found, the processing stops. So you put the most specific rules at the top. also, once you add an access-list, there is an implicit "deny any any" at the end.
  The best approach is to create some network object-groups and then refer to them in your access list. From your description, that would be something like three object-groups - one for the Intranet (Intranet), one for the allowed servers that can use Internet (allowed_servers), and a third for the permitted Internet sites (allowed_sites).
  You would then use them as follows:
  ip access-list extended main_acl
  permit any object-group intranet any
  permit object-group allowed_servers object-group allowed_sites any
  interface vlan
  ip access-group main_acl in
  More details on the syntax and examples can be found here:
  http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/15-2mt/sec-object-group-acl.html#GUID-BE5C124C-CCE0-423A-B147-96C33FA18C66