WS-C3524-XL-EN , mac access-list , ssh ..
does this switch CATALYST 3500 24 PORT 10/100 SWITCH WITH 2 GBIC SLOTS, ENTERPRISE EDITION with last IOS running on, support SSH , and mac access-list to secure the port with mac
thanks
There is IOS software for the 3550 that supports ssh. You have to have cco login with priviledges - There is a "strong cryptographic (3DES) location on CCO for that software. Go to downloads for 3550 and look for the link.
Similar Messages
-
MAC access-list on switching platforms
Please advise if I am in the worng group, and I'll move the post.
I like implement security measures on some 3750 switches. I am looking at the configuration example of blocking ARP packets based on MAC access-lists, and wonder about the exact functionality. Does this mean that an unauthorized device will not be able to send out *any* packets? I don't want to go into too much detail about my concern. I would certainly appreciate your advice.
Here is the link I am looking at:
http://www.cisco.com/en/US/products/hw/switches/ps646/products_configuration_example09186a0080470c39.shtmlMac based ACL can be configured on the router. You will need to use an access-list which ranges from 700-799:
A sample statement would be access-list 700 permit <48-bit hardware SOURCE address> <48-bit hardware
DESTINATION address>. Apply it to a vlan interface after making VLAN interface as a layer2 interface. -
MAC access-list to deny appletalk
can I use mac access-list to deny appletalk frame only,not efect other frame on cat3560?
Hi,
I'm afraid this is not possible on the 3560. The config guide mentions: "Though visible in the command-line help strings, appletalk is not supported as a matching condition"
cfr. http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_55_se/command/reference/cli1.html#wp11893267
As far as I can tell, this is a hardware limitation so no 'fix' is to be expected in software.
Having said that, you might be able to achieve almost the same by blocking AARP (the Appletalk Address Resolution Protocol), with something like this:
mac access-list extended DenyAppletalk
deny any any aarp
permit any any
And then apply that ACL to each interface:
#(config-if) mac access-group DenyAppletalk in
So you will not be blocking actual Appletalk but you will prevent hosts from learning about each other in the first place, i.e. initially they may still have some cached info but after some time (and certainly after a reboot) the hosts will see no longer see any other appletalk hosts on the network.
I've never tried this or seen this work myself but you may want to give it a go and let us know?
Herbert -
Mac access-list enable on catalyst 2924xl ??
Does the command mac access-list run on a catalyst switch 2924 runing 2900xl ver 12.0(5)WC12 ios version
thanksHi,
2900/3500 xl's does not support ACL's.
regards,
-amit singh -
Ok we have a mac-access list that is set and we want it only set on a specific ssid but it does not seem to be working that way and is hitting both ssid's. The issue appears to be with this line as it is not defined to the ssid nor any interface for that ssid:
dot11 association mac-list 701
I just can't figure out where to move it and how. Any help would be great.
Here is my config:
BER-AP18#show running-config
Building configuration...
Current configuration : 11695 bytes
! Last configuration change at 11:04:00 EDT Wed Jun 6 2012 by WirelessAdmin
! NVRAM config last updated at 11:04:00 EDT Wed Jun 6 2012 by WirelessAdmin
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname BER-AP18
enable secret 5 SECRET
clock timezone EST -5
clock summer-time EDT recurring
ip subnet-zero
ip domain name domain.com
ip name-server 10.0.36.73
ip name-server 10.0.36.38
aaa new-model
aaa group server radius rad_eap
aaa group server radius rad_mac
aaa group server radius rad_acct
aaa group server radius rad_admin
aaa group server tacacs+ tac_admin
aaa group server radius rad_pmip
aaa group server radius dummy
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
dot11 association mac-list 701
dot11 vlan-name Wireless vlan 22
dot11 ssid SWLAN
vlan 36
authentication open mac-address mac_methods
dot11 ssid WSLAN
vlan 22
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 7 SECRET
crypto pki trustpoint TP-self-signed-689020510
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-689020510
revocation-check none
rsakeypair TP-self-signed-689020510
username WirelessAdmin privilege 15 password 7 SECRET
username 00166f44ec4f password 7 075F711D185F1F514317085802
username 00166f44ec4f autocommand exit
username 00166f46e83c password 7 15425B5D527C2D707E366D7110
username 00166f46e83c autocommand exit
username 00166f6bc2be password 7 091C1E584F531144090F56282E
username 00166f6bc2be autocommand exit
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
encryption key 1 size 128bit 7 SECRET transmit-key
encryption mode wep mandatory
encryption vlan 2 mode ciphers tkip
encryption vlan 36 key 1 size 128bit 7 SECRET transmit-key
encryption vlan 36 mode wep mandatory
encryption vlan 22 mode ciphers tkip
broadcast-key change 30
ssid SWLAN
ssid WSLAN
speed basic-1.0 basic-2.0 basic-5.5 basic-11.0
power local 1
no power client local
power client 100
channel 2427
station-role root
rts threshold 2312
l2-filter bridge-group-acl
bridge-group 1
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface Dot11Radio0.22
encapsulation dot1Q 22
no ip route-cache
bridge-group 22
bridge-group 22 subscriber-loop-control
bridge-group 22 block-unknown-source
no bridge-group 22 source-learning
no bridge-group 22 unicast-flooding
bridge-group 22 spanning-disabled
interface Dot11Radio0.36
encapsulation dot1Q 36
no ip route-cache
bridge-group 36
bridge-group 36 subscriber-loop-control
bridge-group 36 block-unknown-source
no bridge-group 36 source-learning
no bridge-group 36 unicast-flooding
bridge-group 36 spanning-disabled
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
l2-filter bridge-group-acl
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
hold-queue 160 in
interface FastEthernet0.22
encapsulation dot1Q 22
no ip route-cache
bridge-group 22
no bridge-group 22 source-learning
bridge-group 22 spanning-disabled
interface FastEthernet0.36
encapsulation dot1Q 36
no ip route-cache
bridge-group 36
no bridge-group 36 source-learning
bridge-group 36 spanning-disabled
interface BVI1
ip address 10.0.0.18 255.255.255.0
no ip route-cache
interface BVI22
no ip address
no ip route-cache
ip default-gateway 10.0.0.1
no ip http server
ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
access-list 111 permit tcp any any neq telnet
access-list 701 permit 0016.6f38.5a75 0000.0000.0000
access-list 701 permit 0016.6f47.2f5a 0000.0000.0000
access-list 701 permit 0016.6f72.8730 0000.0000.0000
access-list 701 permit 0016.6f6b.c156 0000.0000.0000
access-list 701 deny 0000.0000.0000 ffff.ffff.ffff
radius-server attribute 32 include-in-access-req format %h
radius-server vsa send accounting
control-plane
bridge 1 route ip
line con 0
access-class 111 in
line vty 0 4
access-class 111 in
line vty 5 15
access-class 111 in
sntp server 10.0.36.38
endthat looks good. I always get input vs output backwards. If it doesn't block the correct traffic, reverse the direction.
HTH,
Steve
Please remember to rate useful posts, and mark questions as answered -
Hi,
I have a mac acl on a cisco aironet 1260;
access-list 700 permit 000b.6baf.780c 0000.0000.0000
access-list 700 permit 000b.6baf.6cfd 0000.0000.0000
access-list 700 permit 000b.6baf.7225 0000.0000.0000
access-list 700 permit 000b.6bb2.f090 0000.0000.0000
access-list 700 permit 000b.6bb2.f088 0000.0000.0000
access-list 700 permit 000b.6bb2.f089 0000.0000.0000
access-list 700 permit 000b.6baf.756d 0000.0000.0000
access-list 700 permit 000b.6baf.7872 0000.0000.0000
access-list 700 permit 000b.6baf.6d04 0000.0000.0000
Is working very good, but to administrative audit I need to get mac addresses that the dot11 interface has rejected or mac-add has attempted to connect to AP, how can I log that info?
REGARDSHi,
Not fully sure. but the logs of the AP should mention that at some logging level. If you direct your logs to a syslog server and try with unauthorized user to connect you will see how the message looks like and you can then filter on that.
HTH
Amjad
Rating useful replies is more useful than saying "Thank you" -
Airport extreme freezes when updating MAC access list on WiFi. What can I do ?
Trying to add a new PC on the WiFi network, the control is via MAC addresses. I can enter the new MAC address, and description, but airport freezes when I try to update. The only way I can get back is unplug / replug airport, but then it is not updated with the new address.
Macpro on 10.7
Airport extreme 802.11n 1st gen (7.5.2 with airport utility 5.5.3)
ThanksIf you have not already done so, try temporarily connecting an Ethernet cable from your Mac to one of the LAN <-> ports on the AirPort Extreme. Then open AirPort Utility, make the changes you need and see if the AirPort Extreme will Update correctly. If it does, you can disconnect the Ethernet cable.
If still no luck, your next option is to perform a Factory Default Reset on the AirPort Exreme to clear out all the current settings and then reconfigure the device again. -
AP1231 crashes when adding Mac to access list
I have a AIR-AP1231G-E-K9 it is running c1200-k9w7-mx.123-8.JEC2/c1200-k9w7-mx.123-8.JEC2.
I am using a Mac Access list to restrict users access to it - however when I add an address now it crashes the AP and has to be rebooted.
Is there a limit to Mac's is this a software bug?
thanksIf the AP is crashing it is a bug. I would open a TAC case to have the crash analyzed to determine if there is fixed code already available.
-
Extended 48-bit MAC address access list
How can I apply extended 48-bit MAC address access list on Cisco 7606?
You can use the following example for the MAC address based access list :
mac access-list extended CAPTURE 10
permit any any
vlan access-map IDS 10
match mac address CAPTURE
action forward capture
vlan filter IDS vlan-list 115,119
interface FastEthernet 3/48
switchport
switchport capture -
Hi!
I have Linksys SPS224G4.
I'm trying to create mac access-list and bing to interface by using SNMP.
Please advise me in what MIB can I find OID's to operate such functions?These OID's lie in qosclimib.mib
-
SFE2000 IP Access List is locking up the switch
Hi, i'm using brand new 1 X SFE2000, 1 X RV082 as router and 2 X WAP2000 with linksys power injectors in my network. I would like to have 3 VLANs. first one would be a management vlan, second an admin vlan and the last one a customer vlan. management would be used for computer tech to manage the equipment. the admin Vlan would be used for all the employees, the AD win2k8 server will be on this vlan too. the customer vlan would be used only to get to the internet. VLan 1 would speak to 2 and 3, but 2 and 3 would not speak to each other. I will relay the AD DHCP server on the 3 vlan. The switch is on layer 3 protocol.
Here is my problem, as soon as i activate the IP access list, the switch is locking up and the only way i can get it to work is to go back to a previous saved config without IP access list activated. i'm activating IP access list with all access to any vlan...and still the same problem... MAC access list is working perfectly.
i'm having the latest firmware...
any advice would be welcome !
thanks alot !I did not change my native/management VLAN. This is not supported. My default gateway is 192.168.11.253. My VLAN 1 is 192.168.11.0/24, VLAN 2 is 192.168.12.254, VLAN 3 is 192.168.3.254. Configured interfaces are e2-5. Do NOT attempt to use ANY/protocol type 255 on the interface. ACL/ACEs are as follows:
permit ip 192.168.3.0 0.0.0.255 192.168.11.253 0.0.0.0
permit ip 192.168.11.0 0.0.0.255 any
permit ip 192.168.2.0 0.0.0.255 192.168.11.0 0.0.0.255
Or the whole config (default login. also attached)
interface range ethernet e(2-4) switchport mode access exit vlan database vlan 1-3 exit interface ethernet e2 switchport access vlan 1 exit interface ethernet e5 switchport trunk native vlan 1 exit interface ethernet e3 switchport access vlan 2 exit interface ethernet e5 switchport trunk allowed vlan add 2 exit interface ethernet e4 switchport access vlan 3 exit interface ethernet e5 switchport trunk allowed vlan add 3 exit interface vlan 1 ip address 192.168.11.254 255.255.255.0 exit interface vlan 2 ip address 192.168.12.254 255.255.255.0 exit interface vlan 3 ip address 192.168.3.254 255.255.255.0 exit interface vlan 100 ip address 192.168.1.254 255.255.255.0 exit ip route 0.0.0.0 0.0.0.0 192.168.11.253 ip access-list ACL1 permit ip 192.168.3.0 0.0.0.255 192.168.11.253 0.0.0.0 permit ip 192.168.11.0 0.0.0.255 any permit ip 192.168.2.0 0.0.0.255 192.168.11.0 0.0.0.255 exit interface ethernet e2 service-acl input ACL1 exit interface ethernet e3 service-acl input ACL1 exit interface ethernet e4 service-acl input ACL1 exit interface ethernet e5 service-acl input ACL1 exit username L1_admin password dcdf2920272f76e823f0633b329881df level 15 encrypted username admin password d41d8cd98f00b204e9800998ecf8427e level 15 encrypted -
MAC-Adress Filtering vs. Access - Lists
We are using two WLC 4400 Series Controller for our Guest WLAN. They are installed the way Cisco Recommends . One in our LAN and one in the DMZ.
I am looking for a possibility to deny company users the access to this WLAN with their notebooks. The WLAN has direkt internet access and we don't want our notebooks to be compromised...
With MAC-Adress Filterring I can only permit access to a specific Wlan or is there a way to negogiate such a filter to use it for a denial?
Is there a possibility to use access lists for the denial of specific Mac-Adresses to a specific WLAN ?
Anyone an other good Idea how to solve this issue?Well... MAC-address filter would work, but if you have alot to input, it can be a headache. ACL's I don't think will work, because users will get an ip from the guest network and then how can you know who has what address. Create a username password webauth page. The credentials can be changed each day or week depending.... and give this out to guest users to access the guest network. Now internal user can't access this unless the username password slips out. If you really want to make it tough, use GPO and push out the wireless policy and lock out the feature to add a wireless network.
-
I have a single remote device attached to a 1700 sereis router. I need to ensure that if anyone disconnects the device, they can't easily plug anything elses in to the router and hence wanted to use a mac-adddress access list.
I have created an access list as follows:
access-list 700 permit xxxx.xxxx.xxxx 0000.0000.0000, but there appears to be no way to add this to the Fa0 interface on the router.
Can anyone confirm if this is possible on a router or does this only work on a switch?No, its the Ethernet local LAN interface of a routed link so no bridging going on.
Config below:
interface FastEthernet0
description Mufulira Post Office Post Office LAN
ip address xxx.xxx.xxx.xxx 255.255.255.248
ip access-group 120 in
no ip redirects
no ip unreachables
no ip proxy-arp
no ip mroute-cache
speed auto
full-duplex
no cdp enable
IP access lst 120 defines just a single host allowed in to a group of servers.
I'm having to tie everything down as much as possible as its for a remote ATM on the end of a Wireless backhaul link and our Risk people are trying to insist that we use mac address security as well. I am already running a GRE tunnel and IPSec 3DES over the routed portion of the link. -
Simple SSH Access-List Question
I am enabling SSH access for all of our Cisco devices and want to restrict access to just the following ip addresses: 192.168.200.1-192.168.200.50. I forgot the exact access-list configuration to accomplish this. The subnet is /24 and I don't want the whole subnet - just .1 - .50.
Thank you,
Thomas ReilingHi there,
If using ssh make sure you have a domain name, host name and a generated rsa key. Assuing you've done that, the the following ACL and line vty command will do the trick. Note that the 1-50 host list is not on a subnet barrier.
To get it exactly
access-list 1 remark ALLOW MANAGEMENT
access-list 1 permit 192.168.200.0 0.0.0.31
access-list 1 permit 192.168.200.32 0.0.0.15
access-list 1 permit 192.168.200.48 0.0.0.1
access-list 1 host 192.168.200.50
access-list 1 deny any log
It would be a good idea to put it on a boundary though, so the following would be much more simpler and easier to read.
access-list 1 remark ALLOW MANAGEMENT
access-list 1 permit 192.168.200.0 0.0.0.63
access-list 1 deny any log
Apply the access-class on the vty lines and depending on authentication, i'd put something there too.
line vty 0 4
access-class 1 in
transport input ssh
password blahblah
That ought to do it.
good luck!
Brad -
ASR 5000 access list for ssh and telnet
Dears,
how can we apply an access list for telnet and ssh on asr 5k ?
please advise if this is feasible.
thx.Hello Joseph,
Sorry for the delay in response.
To control access to ASR5000 via telnet, other than configuring an ACL, there is a way to disable telnetd by configuring local context.
For example:
config
context local
no server telnetd
#exit
System Administration Guide of the relevant version will give you detailed information in this regard.
Here is the latest system admin guide (for SW version 17): http://www.cisco.com/c/dam/en/us/td/docs/wireless/asr_5000/17-0/PDF/17-ASR5000-Sys-Admin.pdf
You can find other guides here: http://www.cisco.com/c/en/us/support/wireless/asr-5000-series/products-installation-and-configuration-guides-list.html
Hope this helps..
Regards
Aneesh
Maybe you are looking for
-
I have a macbook, I just bought a macbook pro. Can I sync the calendars regularly so that if I add something to one, it automatically does to the other? I assume I can do this by setting up some kind of network, or something, just don't know how. Ins
-
Mac os 10.7.5 device name changing
Hello all, I use an external USB drive to do backups using SuperDuper!, and after the backup under devices in finder, I see my 'Macintosh HD' listed but its name continually changes to 'MBP-MID2010 BKP' (name of external drive) and then back to 'Maci
-
Hi Experts, I am writing a labview program to listen to one digital port, and when '1' is read, then all the ports on the 5 32-bit IO cards are read. I made three dlls to do the formatting for the raw data files. When I add one dll, it works fine, ho
-
HI I've just formatted my hard drive to reinstall osx mavericks, I had created a USB stick with it on, however whenever I use it to reinstall it says downloading additional components, I then wait four hours for this to finish before it comes up with
-
Migration de photoshop elements 6 vers elements 13
Je souhaite migrer de la version 6 vers la version 13 de photoshop. J'ai un grand nombre de photos enregistrées sur disque et classée. Je souhaite savoir si la migration vers la nouvelle version conservera ces photos et leur classement sans perte d'i