MAC access-list on switching platforms
Please advise if I am in the worng group, and I'll move the post.
I like implement security measures on some 3750 switches. I am looking at the configuration example of blocking ARP packets based on MAC access-lists, and wonder about the exact functionality. Does this mean that an unauthorized device will not be able to send out *any* packets? I don't want to go into too much detail about my concern. I would certainly appreciate your advice.
Here is the link I am looking at:
http://www.cisco.com/en/US/products/hw/switches/ps646/products_configuration_example09186a0080470c39.shtml
Mac based ACL can be configured on the router. You will need to use an access-list which ranges from 700-799:
A sample statement would be access-list 700 permit <48-bit hardware SOURCE address> <48-bit hardware
DESTINATION address>. Apply it to a vlan interface after making VLAN interface as a layer2 interface.
Similar Messages
-
WS-C3524-XL-EN , mac access-list , ssh ..
does this switch CATALYST 3500 24 PORT 10/100 SWITCH WITH 2 GBIC SLOTS, ENTERPRISE EDITION with last IOS running on, support SSH , and mac access-list to secure the port with mac
thanksThere is IOS software for the 3550 that supports ssh. You have to have cco login with priviledges - There is a "strong cryptographic (3DES) location on CCO for that software. Go to downloads for 3550 and look for the link.
-
MAC access-list to deny appletalk
can I use mac access-list to deny appletalk frame only,not efect other frame on cat3560?
Hi,
I'm afraid this is not possible on the 3560. The config guide mentions: "Though visible in the command-line help strings, appletalk is not supported as a matching condition"
cfr. http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_55_se/command/reference/cli1.html#wp11893267
As far as I can tell, this is a hardware limitation so no 'fix' is to be expected in software.
Having said that, you might be able to achieve almost the same by blocking AARP (the Appletalk Address Resolution Protocol), with something like this:
mac access-list extended DenyAppletalk
deny any any aarp
permit any any
And then apply that ACL to each interface:
#(config-if) mac access-group DenyAppletalk in
So you will not be blocking actual Appletalk but you will prevent hosts from learning about each other in the first place, i.e. initially they may still have some cached info but after some time (and certainly after a reboot) the hosts will see no longer see any other appletalk hosts on the network.
I've never tried this or seen this work myself but you may want to give it a go and let us know?
Herbert -
Mac access-list enable on catalyst 2924xl ??
Does the command mac access-list run on a catalyst switch 2924 runing 2900xl ver 12.0(5)WC12 ios version
thanksHi,
2900/3500 xl's does not support ACL's.
regards,
-amit singh -
Ok we have a mac-access list that is set and we want it only set on a specific ssid but it does not seem to be working that way and is hitting both ssid's. The issue appears to be with this line as it is not defined to the ssid nor any interface for that ssid:
dot11 association mac-list 701
I just can't figure out where to move it and how. Any help would be great.
Here is my config:
BER-AP18#show running-config
Building configuration...
Current configuration : 11695 bytes
! Last configuration change at 11:04:00 EDT Wed Jun 6 2012 by WirelessAdmin
! NVRAM config last updated at 11:04:00 EDT Wed Jun 6 2012 by WirelessAdmin
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname BER-AP18
enable secret 5 SECRET
clock timezone EST -5
clock summer-time EDT recurring
ip subnet-zero
ip domain name domain.com
ip name-server 10.0.36.73
ip name-server 10.0.36.38
aaa new-model
aaa group server radius rad_eap
aaa group server radius rad_mac
aaa group server radius rad_acct
aaa group server radius rad_admin
aaa group server tacacs+ tac_admin
aaa group server radius rad_pmip
aaa group server radius dummy
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
dot11 association mac-list 701
dot11 vlan-name Wireless vlan 22
dot11 ssid SWLAN
vlan 36
authentication open mac-address mac_methods
dot11 ssid WSLAN
vlan 22
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 7 SECRET
crypto pki trustpoint TP-self-signed-689020510
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-689020510
revocation-check none
rsakeypair TP-self-signed-689020510
username WirelessAdmin privilege 15 password 7 SECRET
username 00166f44ec4f password 7 075F711D185F1F514317085802
username 00166f44ec4f autocommand exit
username 00166f46e83c password 7 15425B5D527C2D707E366D7110
username 00166f46e83c autocommand exit
username 00166f6bc2be password 7 091C1E584F531144090F56282E
username 00166f6bc2be autocommand exit
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
encryption key 1 size 128bit 7 SECRET transmit-key
encryption mode wep mandatory
encryption vlan 2 mode ciphers tkip
encryption vlan 36 key 1 size 128bit 7 SECRET transmit-key
encryption vlan 36 mode wep mandatory
encryption vlan 22 mode ciphers tkip
broadcast-key change 30
ssid SWLAN
ssid WSLAN
speed basic-1.0 basic-2.0 basic-5.5 basic-11.0
power local 1
no power client local
power client 100
channel 2427
station-role root
rts threshold 2312
l2-filter bridge-group-acl
bridge-group 1
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface Dot11Radio0.22
encapsulation dot1Q 22
no ip route-cache
bridge-group 22
bridge-group 22 subscriber-loop-control
bridge-group 22 block-unknown-source
no bridge-group 22 source-learning
no bridge-group 22 unicast-flooding
bridge-group 22 spanning-disabled
interface Dot11Radio0.36
encapsulation dot1Q 36
no ip route-cache
bridge-group 36
bridge-group 36 subscriber-loop-control
bridge-group 36 block-unknown-source
no bridge-group 36 source-learning
no bridge-group 36 unicast-flooding
bridge-group 36 spanning-disabled
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
l2-filter bridge-group-acl
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
hold-queue 160 in
interface FastEthernet0.22
encapsulation dot1Q 22
no ip route-cache
bridge-group 22
no bridge-group 22 source-learning
bridge-group 22 spanning-disabled
interface FastEthernet0.36
encapsulation dot1Q 36
no ip route-cache
bridge-group 36
no bridge-group 36 source-learning
bridge-group 36 spanning-disabled
interface BVI1
ip address 10.0.0.18 255.255.255.0
no ip route-cache
interface BVI22
no ip address
no ip route-cache
ip default-gateway 10.0.0.1
no ip http server
ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
access-list 111 permit tcp any any neq telnet
access-list 701 permit 0016.6f38.5a75 0000.0000.0000
access-list 701 permit 0016.6f47.2f5a 0000.0000.0000
access-list 701 permit 0016.6f72.8730 0000.0000.0000
access-list 701 permit 0016.6f6b.c156 0000.0000.0000
access-list 701 deny 0000.0000.0000 ffff.ffff.ffff
radius-server attribute 32 include-in-access-req format %h
radius-server vsa send accounting
control-plane
bridge 1 route ip
line con 0
access-class 111 in
line vty 0 4
access-class 111 in
line vty 5 15
access-class 111 in
sntp server 10.0.36.38
endthat looks good. I always get input vs output backwards. If it doesn't block the correct traffic, reverse the direction.
HTH,
Steve
Please remember to rate useful posts, and mark questions as answered -
Hi,
I have a mac acl on a cisco aironet 1260;
access-list 700 permit 000b.6baf.780c 0000.0000.0000
access-list 700 permit 000b.6baf.6cfd 0000.0000.0000
access-list 700 permit 000b.6baf.7225 0000.0000.0000
access-list 700 permit 000b.6bb2.f090 0000.0000.0000
access-list 700 permit 000b.6bb2.f088 0000.0000.0000
access-list 700 permit 000b.6bb2.f089 0000.0000.0000
access-list 700 permit 000b.6baf.756d 0000.0000.0000
access-list 700 permit 000b.6baf.7872 0000.0000.0000
access-list 700 permit 000b.6baf.6d04 0000.0000.0000
Is working very good, but to administrative audit I need to get mac addresses that the dot11 interface has rejected or mac-add has attempted to connect to AP, how can I log that info?
REGARDSHi,
Not fully sure. but the logs of the AP should mention that at some logging level. If you direct your logs to a syslog server and try with unauthorized user to connect you will see how the message looks like and you can then filter on that.
HTH
Amjad
Rating useful replies is more useful than saying "Thank you" -
Airport extreme freezes when updating MAC access list on WiFi. What can I do ?
Trying to add a new PC on the WiFi network, the control is via MAC addresses. I can enter the new MAC address, and description, but airport freezes when I try to update. The only way I can get back is unplug / replug airport, but then it is not updated with the new address.
Macpro on 10.7
Airport extreme 802.11n 1st gen (7.5.2 with airport utility 5.5.3)
ThanksIf you have not already done so, try temporarily connecting an Ethernet cable from your Mac to one of the LAN <-> ports on the AirPort Extreme. Then open AirPort Utility, make the changes you need and see if the AirPort Extreme will Update correctly. If it does, you can disconnect the Ethernet cable.
If still no luck, your next option is to perform a Factory Default Reset on the AirPort Exreme to clear out all the current settings and then reconfigure the device again. -
SFE2000 IP Access List is locking up the switch
Hi, i'm using brand new 1 X SFE2000, 1 X RV082 as router and 2 X WAP2000 with linksys power injectors in my network. I would like to have 3 VLANs. first one would be a management vlan, second an admin vlan and the last one a customer vlan. management would be used for computer tech to manage the equipment. the admin Vlan would be used for all the employees, the AD win2k8 server will be on this vlan too. the customer vlan would be used only to get to the internet. VLan 1 would speak to 2 and 3, but 2 and 3 would not speak to each other. I will relay the AD DHCP server on the 3 vlan. The switch is on layer 3 protocol.
Here is my problem, as soon as i activate the IP access list, the switch is locking up and the only way i can get it to work is to go back to a previous saved config without IP access list activated. i'm activating IP access list with all access to any vlan...and still the same problem... MAC access list is working perfectly.
i'm having the latest firmware...
any advice would be welcome !
thanks alot !I did not change my native/management VLAN. This is not supported. My default gateway is 192.168.11.253. My VLAN 1 is 192.168.11.0/24, VLAN 2 is 192.168.12.254, VLAN 3 is 192.168.3.254. Configured interfaces are e2-5. Do NOT attempt to use ANY/protocol type 255 on the interface. ACL/ACEs are as follows:
permit ip 192.168.3.0 0.0.0.255 192.168.11.253 0.0.0.0
permit ip 192.168.11.0 0.0.0.255 any
permit ip 192.168.2.0 0.0.0.255 192.168.11.0 0.0.0.255
Or the whole config (default login. also attached)
interface range ethernet e(2-4) switchport mode access exit vlan database vlan 1-3 exit interface ethernet e2 switchport access vlan 1 exit interface ethernet e5 switchport trunk native vlan 1 exit interface ethernet e3 switchport access vlan 2 exit interface ethernet e5 switchport trunk allowed vlan add 2 exit interface ethernet e4 switchport access vlan 3 exit interface ethernet e5 switchport trunk allowed vlan add 3 exit interface vlan 1 ip address 192.168.11.254 255.255.255.0 exit interface vlan 2 ip address 192.168.12.254 255.255.255.0 exit interface vlan 3 ip address 192.168.3.254 255.255.255.0 exit interface vlan 100 ip address 192.168.1.254 255.255.255.0 exit ip route 0.0.0.0 0.0.0.0 192.168.11.253 ip access-list ACL1 permit ip 192.168.3.0 0.0.0.255 192.168.11.253 0.0.0.0 permit ip 192.168.11.0 0.0.0.255 any permit ip 192.168.2.0 0.0.0.255 192.168.11.0 0.0.0.255 exit interface ethernet e2 service-acl input ACL1 exit interface ethernet e3 service-acl input ACL1 exit interface ethernet e4 service-acl input ACL1 exit interface ethernet e5 service-acl input ACL1 exit username L1_admin password dcdf2920272f76e823f0633b329881df level 15 encrypted username admin password d41d8cd98f00b204e9800998ecf8427e level 15 encrypted -
AP1231 crashes when adding Mac to access list
I have a AIR-AP1231G-E-K9 it is running c1200-k9w7-mx.123-8.JEC2/c1200-k9w7-mx.123-8.JEC2.
I am using a Mac Access list to restrict users access to it - however when I add an address now it crashes the AP and has to be rebooted.
Is there a limit to Mac's is this a software bug?
thanksIf the AP is crashing it is a bug. I would open a TAC case to have the crash analyzed to determine if there is fixed code already available.
-
Extended 48-bit MAC address access list
How can I apply extended 48-bit MAC address access list on Cisco 7606?
You can use the following example for the MAC address based access list :
mac access-list extended CAPTURE 10
permit any any
vlan access-map IDS 10
match mac address CAPTURE
action forward capture
vlan filter IDS vlan-list 115,119
interface FastEthernet 3/48
switchport
switchport capture -
Stopping MAC addresses on 3560 switch interfaces
Hi,
I would like to stop certain MAC addresses connecting to the network via a 3560 switch and have configured the config below for VLAN 1. All interfaces belong to VLAN 1. Can anyone tell me if this is the correct config or have I missed something?
mac access-list extended Bad_Hosts
permit host 0011.434c.d9bf any 0x806 0x0
permit host 0011.434a.8026 any 0x806 0x0
permit host 000b.5d2a.23e3 any 0x806 0x0
permit host 000b.5d0e.4019 any 0x806 0x0
vlan access-map MAC 10
action drop
match mac address Bad_Hosts
vlan access-map MAC 20
action forward
vlan filter MAC vlan-list 1
Regards
Mark
Network SpecialistIt look like, all the host 'll be reject.
Try:
mac access-list extended Bad_Hosts
deny host 0011.434c.d9bf any 0x806 0x0
deny host 0011.434a.8026 any 0x806 0x0
deny host 000b.5d2a.23e3 any 0x806 0x0
deny host 000b.5d0e.4019 any 0x806 0x0
permit any any
vlan access-map MAC 10
match mac address Bad_Hosts
action forward
vlan access-map MAC 20
action drop
vlan filter MAC vlan-list 1
Please, hope this help and rate this post. -
Hi!
I have Linksys SPS224G4.
I'm trying to create mac access-list and bing to interface by using SNMP.
Please advise me in what MIB can I find OID's to operate such functions?These OID's lie in qosclimib.mib
-
I am trying to switch platforms from Mac to PC. I cannot get into support where this is done. Phone calls are a joke, a promise to call back in 12 or 45 minutes never happens. What you need support for seems to not exist. Can someone tell me how to get this done without getting into the rope a dope, perpetual, never ending circle of nothing.
EZEzez1 I am sorry you are facing difficulties with the platform swap process. Have you been able to complete the steps listed in Order product | Platform, language swap
-
I have a single remote device attached to a 1700 sereis router. I need to ensure that if anyone disconnects the device, they can't easily plug anything elses in to the router and hence wanted to use a mac-adddress access list.
I have created an access list as follows:
access-list 700 permit xxxx.xxxx.xxxx 0000.0000.0000, but there appears to be no way to add this to the Fa0 interface on the router.
Can anyone confirm if this is possible on a router or does this only work on a switch?No, its the Ethernet local LAN interface of a routed link so no bridging going on.
Config below:
interface FastEthernet0
description Mufulira Post Office Post Office LAN
ip address xxx.xxx.xxx.xxx 255.255.255.248
ip access-group 120 in
no ip redirects
no ip unreachables
no ip proxy-arp
no ip mroute-cache
speed auto
full-duplex
no cdp enable
IP access lst 120 defines just a single host allowed in to a group of servers.
I'm having to tie everything down as much as possible as its for a remote ATM on the end of a Wireless backhaul link and our Risk people are trying to insist that we use mac address security as well. I am already running a GRE tunnel and IPSec 3DES over the routed portion of the link. -
Hellp Everyone,
I am trying to create a Access-List on my Core Switch, in which I want to allow few internet website & block the rest of them.
I want to allow the whole Intranet but few intranet websites also needs access to the internet.
Can we create such Access-List with the above requirement.
I tried to create the ACL on the switch but it blocks the whole internet access.
i want to do it for a subnet not for a specific IP.
Can someone help me in creating such access list.
Thanks in AdvanceThe exact syntax depends on your subnets and how they connect to the Internet. If you can share a simple diagram that would be much more informative.
In general just remember that access-lists are parsed from the top down and as soon as a match is found, the processing stops. So you put the most specific rules at the top. also, once you add an access-list, there is an implicit "deny any any" at the end.
The best approach is to create some network object-groups and then refer to them in your access list. From your description, that would be something like three object-groups - one for the Intranet (Intranet), one for the allowed servers that can use Internet (allowed_servers), and a third for the permitted Internet sites (allowed_sites).
You would then use them as follows:
ip access-list extended main_acl
permit any object-group intranet any
permit object-group allowed_servers object-group allowed_sites any
interface vlan
ip access-group main_acl in
More details on the syntax and examples can be found here:
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/15-2mt/sec-object-group-acl.html#GUID-BE5C124C-CCE0-423A-B147-96C33FA18C66
Maybe you are looking for
-
Trying to install HP Deskjet 2642 printer...not working
I have tried to download HP Deskjet 2642 printer multiple times, however at the end of the installation, it tells me that the installation failed because the (path, or list of folders) doesn't exist or I don't have access to it. How do I fix this?! A
-
Unable to resolve Wiki "Error Reading Settings"
I am running the newer 2.2.1 version of the Server.app. I am still having the dreaded Error Reading Settings error dropdown box when launching the Server.appl. Profile Manager is and always has been running fine. Here's what I have done: Trashed S
-
I want to place CSS drop shadows on different objects on a web page. It works perfectly in Safari, FF, Chrome and Opera both in Widows and OS X, but fails in IE 8 & 9. Any help would be much apreaciated. VL Branko Here is the CSS: /* this is for putt
-
Dear Experts, I came across a typical scenariou2026 looks very simple and very general but not able to come up with exact solutionu2026this scenario is more typical in electronic industries. Scenario1 (without scales) I have a hierarchical BOM, I ask
-
Acrobat DC and XI different Output preview; same setting on the same machine
Hello, I've got an question regarding Output preview My sample PDF does have different output preview values on Acrobat DC (100% Black) and Acrobat XI (CMYK values) Both use the same setting (Euroscale Coated v2), doc has no PDF/X output intent Still