MAC access-list to deny appletalk

Similar Messages

• Move a mac access-list

                     Ok we have a mac-access list that is set and we want it only set on a specific ssid but it does not seem to be working that way and is hitting both ssid's.  The issue appears to be with this line as it is not defined to the ssid nor any interface for that ssid:
  dot11 association mac-list 701
  I just can't figure out where to move it and how.  Any help would be great.
  Here is my config:
  BER-AP18#show running-config
  Building configuration...
  Current configuration : 11695 bytes
  ! Last configuration change at 11:04:00 EDT Wed Jun 6 2012 by WirelessAdmin
  ! NVRAM config last updated at 11:04:00 EDT Wed Jun 6 2012 by WirelessAdmin
  version 12.3
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname BER-AP18
  enable secret 5 SECRET
  clock timezone EST -5
  clock summer-time EDT recurring
  ip subnet-zero
  ip domain name domain.com
  ip name-server 10.0.36.73
  ip name-server 10.0.36.38
  aaa new-model
  aaa group server radius rad_eap
  aaa group server radius rad_mac
  aaa group server radius rad_acct
  aaa group server radius rad_admin
  aaa group server tacacs+ tac_admin
  aaa group server radius rad_pmip
  aaa group server radius dummy
  aaa authentication login eap_methods group rad_eap
  aaa authentication login mac_methods local
  aaa authorization exec default local
  aaa accounting network acct_methods start-stop group rad_acct
  aaa session-id common
  dot11 association mac-list 701
  dot11 vlan-name Wireless vlan 22
  dot11 ssid SWLAN
     vlan 36
     authentication open mac-address mac_methods
  dot11 ssid WSLAN
     vlan 22
     authentication open
     authentication key-management wpa
     guest-mode
     wpa-psk ascii 7 SECRET
  crypto pki trustpoint TP-self-signed-689020510
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-689020510
  revocation-check none
  rsakeypair TP-self-signed-689020510
  username WirelessAdmin privilege 15 password 7 SECRET
  username 00166f44ec4f password 7 075F711D185F1F514317085802
  username 00166f44ec4f autocommand exit
  username 00166f46e83c password 7 15425B5D527C2D707E366D7110
  username 00166f46e83c autocommand exit
  username 00166f6bc2be password 7 091C1E584F531144090F56282E
  username 00166f6bc2be autocommand exit
  bridge irb
  interface Dot11Radio0
  no ip address
  no ip route-cache
  encryption key 1 size 128bit 7 SECRET transmit-key
  encryption mode wep mandatory
  encryption vlan 2 mode ciphers tkip
  encryption vlan 36 key 1 size 128bit 7 SECRET transmit-key
  encryption vlan 36 mode wep mandatory
  encryption vlan 22 mode ciphers tkip
  broadcast-key change 30
  ssid SWLAN
  ssid WSLAN
  speed basic-1.0 basic-2.0 basic-5.5 basic-11.0
  power local 1
  no power client local
  power client 100
  channel 2427
  station-role root
  rts threshold 2312
  l2-filter bridge-group-acl
  bridge-group 1
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  bridge-group 1 spanning-disabled
  interface Dot11Radio0.22
  encapsulation dot1Q 22
  no ip route-cache
  bridge-group 22
  bridge-group 22 subscriber-loop-control
  bridge-group 22 block-unknown-source
  no bridge-group 22 source-learning
  no bridge-group 22 unicast-flooding
  bridge-group 22 spanning-disabled
  interface Dot11Radio0.36
  encapsulation dot1Q 36
  no ip route-cache
  bridge-group 36
  bridge-group 36 subscriber-loop-control
  bridge-group 36 block-unknown-source
  no bridge-group 36 source-learning
  no bridge-group 36 unicast-flooding
  bridge-group 36 spanning-disabled
  interface FastEthernet0
  no ip address
  no ip route-cache
  duplex auto
  speed auto
  l2-filter bridge-group-acl
  bridge-group 1
  no bridge-group 1 source-learning
  bridge-group 1 spanning-disabled
  hold-queue 160 in
  interface FastEthernet0.22
  encapsulation dot1Q 22
  no ip route-cache
  bridge-group 22
  no bridge-group 22 source-learning
  bridge-group 22 spanning-disabled
  interface FastEthernet0.36
  encapsulation dot1Q 36
  no ip route-cache
  bridge-group 36
  no bridge-group 36 source-learning
  bridge-group 36 spanning-disabled
  interface BVI1
  ip address 10.0.0.18 255.255.255.0
  no ip route-cache
  interface BVI22
  no ip address
  no ip route-cache
  ip default-gateway 10.0.0.1
  no ip http server
  ip http secure-server
  ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
  ip radius source-interface BVI1
  access-list 111 permit tcp any any neq telnet
  access-list 701 permit 0016.6f38.5a75   0000.0000.0000
  access-list 701 permit 0016.6f47.2f5a   0000.0000.0000
  access-list 701 permit 0016.6f72.8730   0000.0000.0000
  access-list 701 permit 0016.6f6b.c156   0000.0000.0000
  access-list 701 deny   0000.0000.0000   ffff.ffff.ffff
  radius-server attribute 32 include-in-access-req format %h
  radius-server vsa send accounting
  control-plane
  bridge 1 route ip
  line con 0
  access-class 111 in
  line vty 0 4
  access-class 111 in
  line vty 5 15
  access-class 111 in
  sntp server 10.0.36.38
  end

  that looks good.  I always get input vs output backwards.  If it doesn't block the correct traffic, reverse the direction.
  HTH,
  Steve
  Please remember to rate useful posts, and mark questions as answered

• MAC access-list on switching platforms

  Please advise if I am in the worng group, and I'll move the post.
  I like implement security measures on some 3750 switches. I am looking at the configuration example of blocking ARP packets based on MAC access-lists, and wonder about the exact functionality. Does this mean that an unauthorized device will not be able to send out *any* packets? I don't want to go into too much detail about my concern. I would certainly appreciate your advice.
  Here is the link I am looking at:
  http://www.cisco.com/en/US/products/hw/switches/ps646/products_configuration_example09186a0080470c39.shtml

  Mac based ACL can be configured on the router. You will need to use an access-list which ranges from 700-799:
  A sample statement would be access-list 700 permit <48-bit hardware SOURCE address> <48-bit hardware
  DESTINATION address>. Apply it to a vlan interface after making VLAN interface as a layer2 interface.

• WS-C3524-XL-EN , mac access-list , ssh ..

  does this switch CATALYST 3500 24 PORT 10/100 SWITCH WITH 2 GBIC SLOTS, ENTERPRISE EDITION with last IOS running on, support SSH , and mac access-list to secure the port with mac
  thanks

  There is IOS software for the 3550 that supports ssh. You have to have cco login with priviledges - There is a "strong cryptographic (3DES) location on CCO for that software. Go to downloads for 3550 and look for the link.

• Mac access-list enable on catalyst 2924xl ??

  Does the command mac access-list run on a catalyst switch 2924 runing 2900xl ver 12.0(5)WC12 ios version
  thanks

  Hi,
  2900/3500 xl's does not support ACL's.
  regards,
  -amit singh

• Mac access-list

  Hi,
  I have a mac acl on a cisco aironet 1260;
  access-list 700 permit 000b.6baf.780c   0000.0000.0000
  access-list 700 permit 000b.6baf.6cfd   0000.0000.0000
  access-list 700 permit 000b.6baf.7225   0000.0000.0000
  access-list 700 permit 000b.6bb2.f090   0000.0000.0000
  access-list 700 permit 000b.6bb2.f088   0000.0000.0000
  access-list 700 permit 000b.6bb2.f089   0000.0000.0000
  access-list 700 permit 000b.6baf.756d   0000.0000.0000
  access-list 700 permit 000b.6baf.7872   0000.0000.0000
  access-list 700 permit 000b.6baf.6d04   0000.0000.0000
  Is working very good, but to administrative audit I need to get mac addresses that the dot11 interface has rejected or mac-add has attempted to connect to AP, how can I log that info?
  REGARDS

  Hi,
  Not fully sure. but the logs of the AP should mention that at some logging level. If you direct your logs to a syslog server and try with unauthorized user to connect you will see how the message looks like and you can then filter on that.
  HTH
  Amjad
  Rating useful replies is more useful than saying "Thank you"

• Airport extreme freezes when updating MAC access list on WiFi. What can I do ?

  Trying to add a new PC on the WiFi network, the control is via MAC addresses. I can enter the new MAC address, and description, but airport freezes when I try to update. The only way I can get back is unplug / replug airport, but then it is not updated with the new address.
  Macpro on 10.7
  Airport extreme 802.11n 1st gen (7.5.2 with airport utility 5.5.3)
  Thanks

  If you have not already done so, try temporarily connecting an Ethernet cable from your Mac to one of the LAN <-> ports on the AirPort Extreme. Then open AirPort Utility, make the changes you need and see if the AirPort Extreme will Update correctly. If it does, you can disconnect the Ethernet cable.
  If still no luck, your next option is to perform a Factory Default Reset on the AirPort Exreme to clear out all the current settings and then reconfigure the device again.

• Nered to know where I can view ACL denies regarding "access-list deny any log" ?

  I ask this question in the context of an SNMP access list. I am guessing that this line of config (access-list deny any log) will allow you to see which addresses were denied SNMP access.
  I need to know where I can view the source addresses from where the packets were dropped? Could this be just in sh log? Thanks in advance for any help. Cheers

  Hi,
  Yes, with an extended access-list with the last line:
  deny ip any any log
  with "sh log" you can  see the source address of the packets being dropped.
  Take note that you must be at least in the logging level 6 (informational), by default console and monitor are in level 7 (debugging):
  logging console debugging
  logging monitor debugging
  With older IOS versions (before at least 12.4) you had to add the following lines at the bottom of the acl:
  access-list 101 deny   tcp any range 0 65535 any range 0 65535 log
  access-list 101 deny   udp any range 0 65535 any range 0 65535 log
  access-list 101 deny   icmp any any log
  access-list 101 deny   ip any any log
  to log the sources and destinations IPs and port numbers.
  Best Regards,
  Pedro Lereno

• AP1231 crashes when adding Mac to access list

  I have a AIR-AP1231G-E-K9 it is running c1200-k9w7-mx.123-8.JEC2/c1200-k9w7-mx.123-8.JEC2.
  I am using a Mac Access list to restrict users access to it - however when I add an address now it crashes the AP and has to be rebooted.
  Is there a limit to Mac's is this a software bug?
  thanks

  If the AP is crashing it is a bug. I would open a TAC case to have the crash analyzed to determine if there is fixed code already available.

• Extended 48-bit MAC address access list

  How can I apply extended 48-bit MAC address access list on Cisco 7606?

  You can use the following example for the MAC address based access list :
  mac access-list extended CAPTURE 10
  permit any any
  vlan access-map IDS 10
  match mac address CAPTURE
  action forward capture
  vlan filter IDS vlan-list 115,119
  interface FastEthernet 3/48
  switchport
  switchport capture

• Association Access List

  Has someone tried an Association Access List on an ap or Bridge?
  im really getting crazy with this feature =)
  my config:
  dot11 association mac-list 701
  access-list 701 deny 0002.a56f.a201 0000.0000.0000
  access-list 701 permit 0000.0000.0000 ffff.ffff.ffff
  i have hits with may clients BUT he still can connect!
  in the documentation (http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag/123-02.JA/1100/h_ap_howto_3.htm#mac)
  for mac filter there is written:
  # Use the Mask entry field to indicate how many bits, from left to right, the filter checks against the MAC address. For example, to require an exact match with the MAC address (to check all bits) enter FFFF.FFFF.FFFF. To check only the first 4 bytes, enter FFFF.FFFF.0000.
  # Select Forward or Block from the Action menu.
  If i try to make the filter
  access-list 701 deny 0002.a56f.a201 ffff.ffff.ffff
  access-list 701 permit 0000.0000.0000 ffff.ffff.ffff
  i get an error over the webpage and when i make in in the cli the acl looks like that:
  access-list 701 deny 0000.0000.0000 ffff.ffff.ffff
  access-list 701 permit 0000.0000.0000 ffff.ffff.ffff
  so what do i make wrong?
  bernhard

  The version you are using has a bug CSCsa48698 on this feature, check the bug tool kit for more details.

• Access-List Process - Urgent Help

  Dear All,
  My question here in this forum , in the Process of :-
  1- Which Interface should I apply this Access-list ?
  2- on which Direction on the selected interface I have to apply this Access-list ? In or Out ?
  Now, My question is here :-
  Was I correct in choosing the Interface that I will apply this Access-list or not ?
  Please read my Process of choosing the Interface, and tell me if I am correct or Not ?
  I have here My Router, as Internet Router which is 1841 , with 2 Fast Ethernet interfaces as the following :-
  1. Fast Ethernet 0 / 0 :-
  Description : connected to My Network as MY LAN .
  IP Address of this Interface : 192.168.1.10 / 255.255.255.0
  2. Fast Ethernet 0 /1 :-
  Description : connected to Second Network on second Building.
  IP Address of this Interface : 172.16.20.10 / 255.255.0.0
  3. Serial Interface ( S 0 ).
  Description : connected to My Server Farm which is in another Network
  IP Address of this interface : 10.1.8.20 / 255.255.255.0.
  > No any serial interface or any serial connection at all on my 1841 Route.
  > The Default route on My Router is
  > IP ROUTE 0.0.0.0 0.0.0.0 10.1.8.20
  Now, I want only to deny user 192.168.1.40 to access the one server on the server FARMS which is OUR POP3 Server with this IP 10.1.8.40 / 24.
  As anyone knows, its an Extended Access List.
  So I wrote it like that:-
  Router(config)# access-list 102 deny tcp 192.168.1.40 0.0.0.0 host 10.1.8.40 eq smtp
  Router(config)# access-list 102 deny tcp 192.168.1.40 0.0.0.0 host 10.1.8.40 eq pop3
  Router(config)# access-list 102 permit ip any any
  Process of choosing the interface :-
  1- Which Interface should I apply this Access-list ?
  2- on which Direction on the selected interface I have to apply this Access-list ? In or Out ?
  To answer and to understand the answer, for the 2 questions, here is my Process :-
  First Interface f 0 / 0 :-
  < this is the originating interface, and no need to apply the ACLs on it weather if inbound or outbound >, so F0/0 is not the correct interface to apply the ACLS on it.
  Second Interface f 0 / 1 :-
  < this is the second interface, and it have inbound / outbound direction , if I enable the ACL on this Interface, on the inbound direction, it will inter because nothing match on the condition, also, no need to make it on the OUTBOUND direction, because it will not get out from this interface, or there is no match condition on it.
  Third Interface S0:-
  Also, I have to look to the route on the Router, I will find it, every thing will route to interface serial / 0, and if I enable the ACL on the inbound direction, it will stop the traffic from enter the Interface < only it will disable from enter the interface, if the conditions accrue > so no need on the inbound, but on the outbound it will work.
  So, final answer will be as following :-
  1- Which Interface should I apply this Access-list ?
  ( Serial / 0 ) .
  2- on which Direction on the selected interface I have to apply this Access-list ? In or Out ?
  ( Outbound ) .
  Was I correct or not ? please some one is update me.

  The access-list can be applied in any direction depending on the requirement. As per the scnearion you have given the access-list has to appiled at the inbound direction. It is called inbound accesslist.

• Need help for access list problem

  Cisco 2901 ISR
  I need help for my configuration.... although it is working fine but it is not secured cause everybody can access the internet
  I want to deny this IP range and permit only TMG server to have internet connection. My DHCP server is the 4500 switch.
  Anybody can help?
           DENY       10.25.0.1 – 10.25.0.255
                            10.25.1.1 – 10.25.1.255
  Permit only 1 host for Internet
                  10.25.7.136  255.255.255.192 ------ TMG Server
  Using access-list.
  ( Current configuration  )
  object-group network IP
  description Block_IP
  range 10.25.0.2 10.25.0.255
  range 10.25.1.2 10.25.1.255
  interface GigabitEthernet0/0
  ip address 192.168.2.3 255.255.255.0
  ip nat inside
  ip virtual-reassembly in max-fragments 64 max-reassemblies 256
  duplex auto
  speed auto
  interface GigabitEthernet0/1
  description ### ADSL WAN Interface ###
  no ip address
  pppoe enable group global
  pppoe-client dial-pool-number 1
  interface ATM0/0/0
  no ip address
  no atm ilmi-keepalive
  interface Dialer1
  description ### ADSL WAN Dialer ###
  ip address negotiated
  ip mtu 1492
  ip nat outside
  no ip virtual-reassembly in
  encapsulation ppp
  dialer pool 1
  dialer-group 1
  ppp authentication pap callin
  ppp pap sent-username xxxxxxx password 7 xxxxxxxxx
  ip nat inside source list 101 interface Dialer1 overload
  ip route 0.0.0.0 0.0.0.0 Dialer1
  ip route 10.25.0.0 255.255.0.0 192.168.2.1
  access-list 101 permit ip 10.25.0.0 0.0.255.255 any
  access-list 105 deny   ip object-group IP any
  From the 4500 Catalyst switch
  ( Current Configuration )
  interface GigabitEthernet0/48
  no switchport
  ip address 192.168.2.1 255.255.255.0 interface GigabitEthernet2/42
  ip route 0.0.0.0 0.0.0.0 192.168.2.3

  Hello,
  Host will can't get internet connection
  I remove this configuration......         access-list 101 permit ip 10.25.0.0 0.0.255.255 any
  and change the configuration ....      ip access-list extended 101
                                                              5 permit ip host 10.25.7.136 any
  In this case I will allow only host 10.25.7.136 but it isn't work.
  No internet connection from the TMG Server.

• Access-list problem ?

  Hello, I/m having problems getting an access-list to work.With the access-group 104 in i lose my internet connectivity.
  Here's the config. If i remove the access-group 104 in from the gigabitinterface0/0 all works but I want to have the settings on this interface.
  What am I missing ?
  version 15.1
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname r01
  boot-start-marker
  boot-end-marker
  logging buffered 15000
  no logging console
  no aaa new-model
  clock timezone CET 1 0
  no ipv6 cef
  ip source-route
  ip cef
  ip dhcp excluded-address 172.17.1.1 172.17.1.30
  ip dhcp excluded-address 172.17.1.240 172.17.1.254
  ip dhcp excluded-address 172.17.3.1 172.17.3.30
  ip dhcp excluded-address 172.17.3.240 172.17.3.254
  ip dhcp pool VLAN1
  network 172.17.1.0 255.255.255.0
  domain-name r1.local
  default-router 172.17.1.254
  dns-server 212.54.40.25 212.54.35.25
  lease 0 1
  ip dhcp pool VLAN100
  network 172.17.3.0 255.255.255.0
  domain-name r1_Guest
  default-router 172.17.3.254
  dns-server 212.54.40.25 212.54.35.25
  lease 0 1
  ip domain name r1.lan
  ip name-server 212.54.40.25
  ip name-server 212.54.35.25
  multilink bundle-name authenticated
  crypto pki token default removal timeout 0
  object-group network temp
  description dummy addresses
  1.1.1.1 255.255.255.0
  2.2.2.2 255.255.255.0
  object-group network vlan1-lan
  172.17.1.0 255.255.255.0
  object-group network vlan100-guest
  172.17.3.0 255.255.255.0
  object-group network ziggo-dns
  host 212.54.40.25
  host 212.54.35.25
  redundancy
  ip ssh version 2
  interface Embedded-Service-Engine0/0
  no ip address
  shutdown
  interface GigabitEthernet0/0
  ip address dhcp
  ip access-group 104 in
  ip nat outside
  ip virtual-reassembly in
  duplex auto
  speed auto
  interface GigabitEthernet0/1
  description r1.local lan
  ip address 172.17.1.254 255.255.255.0
  ip access-group 102 in
  ip nat inside
  ip virtual-reassembly in
  duplex auto
  speed auto
  interface GigabitEthernet0/1.1
  description Vlan100 r1_Guest
  encapsulation dot1Q 100
  ip address 172.17.3.254 255.255.255.0
  ip access-group 103 in
  ip nat inside
  ip virtual-reassembly in
  ip tcp adjust-mss 1452
  no cdp enable
  ip forward-protocol nd
  no ip http server
  no ip http secure-server
  ip dns server
  ip nat inside source list 101 interface GigabitEthernet0/0 overload
  ip route 172.17.2.0 255.255.255.0 172.17.1.253
  access-list 23 permit 172.17.1.0 0.0.0.255
  access-list 101 permit ip any any
  access-list 102 deny ip any object-group vlan100-guest
  access-list 102 permit ip any any log
  access-list 103 deny ip any object-group vlan1-lan
  access-list 103 permit ip any any
  access-list 104 permit tcp any any eq 22
  access-list 104 permit udp any any eq snmp
  access-list 104 permit icmp any any time-exceeded
  access-list 104 permit icmp any any echo-reply
  access-list 104 permit icmp object-group temp any echo
  access-list 104 permit icmp 172.17.1.0 0.0.0.255 any
  access-list 104 deny ip any any log
  no cdp run
  control-plane
  line con 0
  login local
  line aux 0
  line 2
  login local
  no activation-character
  no exec
  transport preferred none
  transport input ssh
  transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
  stopbits 1
  line vty 0 4
  access-class 23 in
  login local
  transport input ssh
  scheduler allocate 20000 1000
  end

  Hello,
  I applied the rules and that works.
  Only thing i have now.
  Reboot router.
  Interface 0/0 gets no dhcp address from isp.
  I have to remove the 104 in from int 0/0
  Then Router logs : %DHCP -6 - ADDRESS_ASSIGN: Interface GigabitEthernet0/0 assigned DHCP address x.x.x.x, mask x.x.x.x,hostname r01
  Int0/0 gets dhcp ip address, next i apply the acl 104 in to int 0/0 and all works until the next reboot.
  Maybe i have to put in a static ip address on int0/0 ?
  Thanks for your help !

• Access-list block range of hosts

  cisco 2600 router with wic1-adsl card
  I'm having difficulty creating an access-list that will block a range of specified internet ip's but allow evrything else. Google finds loads of acl's showing how to permit a range but nothing about how to deny.
  In the past I've been able to deny a host using:
  access-list 105 deny   ip any host A.B.C.D. but that only blocks one host and not a range (unless you have loads of entries)
  My reason for this is to block baiduspider.com from accessing my server. Baidu uses a large range of ip's but so far they're confined to 123.125.*.*, 61.135.*.* and 220.181.*.*
  I tried:
  access-list 10 deny   123.125.0.0 0.0.0.255
  access-list 10 deny   220.181.0.0 0.0.0.255
  access-list 10 deny   61.135.0.0 0.0.0.255
  access-list 10 permit any
  all web traffic comes via the adsl-wic card in the router so I put:
  ip access-group 10 out
  into the dialer0 config but this didn't work.
  thanks for any help.

  it looks like I've done it. I was using the wrong subnet mask.
  I changed the access list to:
  access-list 10 deny   A.B.0.0    0.0.255.255 and from that moment baidu disappeared from the web log.