WS-C3524-XL-EN , mac access-list , ssh ..

Similar Messages

• MAC access-list on switching platforms

  Please advise if I am in the worng group, and I'll move the post.
  I like implement security measures on some 3750 switches. I am looking at the configuration example of blocking ARP packets based on MAC access-lists, and wonder about the exact functionality. Does this mean that an unauthorized device will not be able to send out *any* packets? I don't want to go into too much detail about my concern. I would certainly appreciate your advice.
  Here is the link I am looking at:
  http://www.cisco.com/en/US/products/hw/switches/ps646/products_configuration_example09186a0080470c39.shtml

  Mac based ACL can be configured on the router. You will need to use an access-list which ranges from 700-799:
  A sample statement would be access-list 700 permit <48-bit hardware SOURCE address> <48-bit hardware
  DESTINATION address>. Apply it to a vlan interface after making VLAN interface as a layer2 interface.

• MAC access-list to deny appletalk

  can I use mac access-list to deny appletalk frame only,not efect other frame on cat3560?

  Hi,
  I'm afraid this is not possible on the 3560. The config guide mentions: "Though visible in the command-line help strings, appletalk is not supported as a matching condition"
  cfr. http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_55_se/command/reference/cli1.html#wp11893267
  As far as I can tell, this is a hardware limitation so no 'fix' is to be expected in software.
  Having said that, you might be able to achieve almost the same by blocking AARP (the Appletalk Address Resolution Protocol), with something like this:
  mac access-list extended DenyAppletalk
  deny   any any aarp
  permit any any
  And then apply that ACL to each interface:
  #(config-if) mac access-group DenyAppletalk in
  So you will not be blocking actual Appletalk but you will prevent hosts from learning about each other in the first place, i.e. initially they may still have some cached info but after some time (and certainly after a reboot) the hosts will see no longer see any other appletalk hosts on the network.
  I've never tried this or seen this work myself but you may want to give it a go and let us know?
  Herbert

• Mac access-list enable on catalyst 2924xl ??

  Does the command mac access-list run on a catalyst switch 2924 runing 2900xl ver 12.0(5)WC12 ios version
  thanks

  Hi,
  2900/3500 xl's does not support ACL's.
  regards,
  -amit singh

• Move a mac access-list

                     Ok we have a mac-access list that is set and we want it only set on a specific ssid but it does not seem to be working that way and is hitting both ssid's.  The issue appears to be with this line as it is not defined to the ssid nor any interface for that ssid:
  dot11 association mac-list 701
  I just can't figure out where to move it and how.  Any help would be great.
  Here is my config:
  BER-AP18#show running-config
  Building configuration...
  Current configuration : 11695 bytes
  ! Last configuration change at 11:04:00 EDT Wed Jun 6 2012 by WirelessAdmin
  ! NVRAM config last updated at 11:04:00 EDT Wed Jun 6 2012 by WirelessAdmin
  version 12.3
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname BER-AP18
  enable secret 5 SECRET
  clock timezone EST -5
  clock summer-time EDT recurring
  ip subnet-zero
  ip domain name domain.com
  ip name-server 10.0.36.73
  ip name-server 10.0.36.38
  aaa new-model
  aaa group server radius rad_eap
  aaa group server radius rad_mac
  aaa group server radius rad_acct
  aaa group server radius rad_admin
  aaa group server tacacs+ tac_admin
  aaa group server radius rad_pmip
  aaa group server radius dummy
  aaa authentication login eap_methods group rad_eap
  aaa authentication login mac_methods local
  aaa authorization exec default local
  aaa accounting network acct_methods start-stop group rad_acct
  aaa session-id common
  dot11 association mac-list 701
  dot11 vlan-name Wireless vlan 22
  dot11 ssid SWLAN
     vlan 36
     authentication open mac-address mac_methods
  dot11 ssid WSLAN
     vlan 22
     authentication open
     authentication key-management wpa
     guest-mode
     wpa-psk ascii 7 SECRET
  crypto pki trustpoint TP-self-signed-689020510
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-689020510
  revocation-check none
  rsakeypair TP-self-signed-689020510
  username WirelessAdmin privilege 15 password 7 SECRET
  username 00166f44ec4f password 7 075F711D185F1F514317085802
  username 00166f44ec4f autocommand exit
  username 00166f46e83c password 7 15425B5D527C2D707E366D7110
  username 00166f46e83c autocommand exit
  username 00166f6bc2be password 7 091C1E584F531144090F56282E
  username 00166f6bc2be autocommand exit
  bridge irb
  interface Dot11Radio0
  no ip address
  no ip route-cache
  encryption key 1 size 128bit 7 SECRET transmit-key
  encryption mode wep mandatory
  encryption vlan 2 mode ciphers tkip
  encryption vlan 36 key 1 size 128bit 7 SECRET transmit-key
  encryption vlan 36 mode wep mandatory
  encryption vlan 22 mode ciphers tkip
  broadcast-key change 30
  ssid SWLAN
  ssid WSLAN
  speed basic-1.0 basic-2.0 basic-5.5 basic-11.0
  power local 1
  no power client local
  power client 100
  channel 2427
  station-role root
  rts threshold 2312
  l2-filter bridge-group-acl
  bridge-group 1
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  bridge-group 1 spanning-disabled
  interface Dot11Radio0.22
  encapsulation dot1Q 22
  no ip route-cache
  bridge-group 22
  bridge-group 22 subscriber-loop-control
  bridge-group 22 block-unknown-source
  no bridge-group 22 source-learning
  no bridge-group 22 unicast-flooding
  bridge-group 22 spanning-disabled
  interface Dot11Radio0.36
  encapsulation dot1Q 36
  no ip route-cache
  bridge-group 36
  bridge-group 36 subscriber-loop-control
  bridge-group 36 block-unknown-source
  no bridge-group 36 source-learning
  no bridge-group 36 unicast-flooding
  bridge-group 36 spanning-disabled
  interface FastEthernet0
  no ip address
  no ip route-cache
  duplex auto
  speed auto
  l2-filter bridge-group-acl
  bridge-group 1
  no bridge-group 1 source-learning
  bridge-group 1 spanning-disabled
  hold-queue 160 in
  interface FastEthernet0.22
  encapsulation dot1Q 22
  no ip route-cache
  bridge-group 22
  no bridge-group 22 source-learning
  bridge-group 22 spanning-disabled
  interface FastEthernet0.36
  encapsulation dot1Q 36
  no ip route-cache
  bridge-group 36
  no bridge-group 36 source-learning
  bridge-group 36 spanning-disabled
  interface BVI1
  ip address 10.0.0.18 255.255.255.0
  no ip route-cache
  interface BVI22
  no ip address
  no ip route-cache
  ip default-gateway 10.0.0.1
  no ip http server
  ip http secure-server
  ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
  ip radius source-interface BVI1
  access-list 111 permit tcp any any neq telnet
  access-list 701 permit 0016.6f38.5a75   0000.0000.0000
  access-list 701 permit 0016.6f47.2f5a   0000.0000.0000
  access-list 701 permit 0016.6f72.8730   0000.0000.0000
  access-list 701 permit 0016.6f6b.c156   0000.0000.0000
  access-list 701 deny   0000.0000.0000   ffff.ffff.ffff
  radius-server attribute 32 include-in-access-req format %h
  radius-server vsa send accounting
  control-plane
  bridge 1 route ip
  line con 0
  access-class 111 in
  line vty 0 4
  access-class 111 in
  line vty 5 15
  access-class 111 in
  sntp server 10.0.36.38
  end

  that looks good.  I always get input vs output backwards.  If it doesn't block the correct traffic, reverse the direction.
  HTH,
  Steve
  Please remember to rate useful posts, and mark questions as answered

• Mac access-list

  Hi,
  I have a mac acl on a cisco aironet 1260;
  access-list 700 permit 000b.6baf.780c   0000.0000.0000
  access-list 700 permit 000b.6baf.6cfd   0000.0000.0000
  access-list 700 permit 000b.6baf.7225   0000.0000.0000
  access-list 700 permit 000b.6bb2.f090   0000.0000.0000
  access-list 700 permit 000b.6bb2.f088   0000.0000.0000
  access-list 700 permit 000b.6bb2.f089   0000.0000.0000
  access-list 700 permit 000b.6baf.756d   0000.0000.0000
  access-list 700 permit 000b.6baf.7872   0000.0000.0000
  access-list 700 permit 000b.6baf.6d04   0000.0000.0000
  Is working very good, but to administrative audit I need to get mac addresses that the dot11 interface has rejected or mac-add has attempted to connect to AP, how can I log that info?
  REGARDS

  Hi,
  Not fully sure. but the logs of the AP should mention that at some logging level. If you direct your logs to a syslog server and try with unauthorized user to connect you will see how the message looks like and you can then filter on that.
  HTH
  Amjad
  Rating useful replies is more useful than saying "Thank you"

• Airport extreme freezes when updating MAC access list on WiFi. What can I do ?

  Trying to add a new PC on the WiFi network, the control is via MAC addresses. I can enter the new MAC address, and description, but airport freezes when I try to update. The only way I can get back is unplug / replug airport, but then it is not updated with the new address.
  Macpro on 10.7
  Airport extreme 802.11n 1st gen (7.5.2 with airport utility 5.5.3)
  Thanks

  If you have not already done so, try temporarily connecting an Ethernet cable from your Mac to one of the LAN <-> ports on the AirPort Extreme. Then open AirPort Utility, make the changes you need and see if the AirPort Extreme will Update correctly. If it does, you can disconnect the Ethernet cable.
  If still no luck, your next option is to perform a Factory Default Reset on the AirPort Exreme to clear out all the current settings and then reconfigure the device again.

• AP1231 crashes when adding Mac to access list

  I have a AIR-AP1231G-E-K9 it is running c1200-k9w7-mx.123-8.JEC2/c1200-k9w7-mx.123-8.JEC2.
  I am using a Mac Access list to restrict users access to it - however when I add an address now it crashes the AP and has to be rebooted.
  Is there a limit to Mac's is this a software bug?
  thanks

  If the AP is crashing it is a bug. I would open a TAC case to have the crash analyzed to determine if there is fixed code already available.

• Extended 48-bit MAC address access list

  How can I apply extended 48-bit MAC address access list on Cisco 7606?

  You can use the following example for the MAC address based access list :
  mac access-list extended CAPTURE 10
  permit any any
  vlan access-map IDS 10
  match mac address CAPTURE
  action forward capture
  vlan filter IDS vlan-list 115,119
  interface FastEthernet 3/48
  switchport
  switchport capture

• Access-list through SNMP

  Hi!
  I have Linksys SPS224G4.
  I'm trying to create mac access-list and bing to interface by using SNMP.
  Please advise me in what MIB can I find OID's to operate such functions?

  These OID's lie in qosclimib.mib

• SFE2000 IP Access List is locking up the switch

  Hi, i'm using brand new 1 X SFE2000, 1 X RV082 as router and 2 X  WAP2000 with linksys power injectors in my network. I would like to have 3 VLANs. first one would be a management vlan, second an admin vlan and the last one a customer vlan. management would be used for computer tech to manage the equipment. the admin Vlan would be used for all the employees, the AD win2k8 server will be on this vlan too. the customer vlan would be used only to get to the internet. VLan 1 would speak to 2 and 3, but 2 and 3 would not speak to each other. I will relay the AD DHCP server on the 3 vlan. The switch is on layer 3 protocol.
  Here is my problem, as soon as i activate the IP access list, the switch is locking up and the only way i can get it to work is to go back to a previous saved config without IP access list activated. i'm activating IP access list with all access to any vlan...and still the same problem... MAC access list is working perfectly.
  i'm having the latest firmware...
  any advice would be welcome !
  thanks alot !

  I did not change my native/management VLAN. This is not supported. My default gateway is 192.168.11.253. My VLAN 1 is 192.168.11.0/24, VLAN 2 is 192.168.12.254, VLAN 3 is 192.168.3.254. Configured interfaces are e2-5. Do NOT attempt to use ANY/protocol type 255 on the interface. ACL/ACEs are as follows:
  permit ip 192.168.3.0 0.0.0.255 192.168.11.253 0.0.0.0
  permit ip 192.168.11.0 0.0.0.255 any
  permit ip 192.168.2.0 0.0.0.255 192.168.11.0 0.0.0.255
  Or the whole config (default login. also attached)
  interface range ethernet e(2-4) switchport mode access exit vlan database vlan 1-3 exit interface ethernet e2 switchport access vlan 1 exit interface ethernet e5 switchport trunk native vlan 1 exit interface ethernet e3 switchport access vlan 2 exit interface ethernet e5 switchport trunk allowed vlan add 2 exit interface ethernet e4 switchport access vlan 3 exit interface ethernet e5 switchport trunk allowed vlan add 3 exit interface vlan 1 ip address 192.168.11.254 255.255.255.0 exit interface vlan 2 ip address 192.168.12.254 255.255.255.0 exit interface vlan 3 ip address 192.168.3.254 255.255.255.0 exit interface vlan 100 ip address 192.168.1.254 255.255.255.0 exit ip route 0.0.0.0 0.0.0.0 192.168.11.253 ip access-list ACL1 permit ip 192.168.3.0 0.0.0.255 192.168.11.253 0.0.0.0 permit ip 192.168.11.0 0.0.0.255 any permit ip 192.168.2.0 0.0.0.255 192.168.11.0 0.0.0.255 exit interface ethernet e2 service-acl input ACL1 exit interface ethernet e3 service-acl input ACL1 exit interface ethernet e4 service-acl input ACL1 exit interface ethernet e5 service-acl input ACL1 exit username L1_admin password dcdf2920272f76e823f0633b329881df level 15 encrypted username admin password d41d8cd98f00b204e9800998ecf8427e level 15 encrypted

• MAC-Adress Filtering vs. Access - Lists

  We are using two WLC 4400 Series Controller for our Guest WLAN. They are installed the way Cisco Recommends . One in our LAN and one in the DMZ.
  I am looking for a possibility to deny company users the access to this WLAN with their notebooks. The WLAN has direkt internet access and we don't want our notebooks to be compromised...
  With MAC-Adress Filterring I can only permit access to a specific Wlan or is there a way to negogiate such a filter to use it for a denial?
  Is there a possibility to use access lists for the denial of specific Mac-Adresses to a specific WLAN ?
  Anyone an other good Idea how to solve this issue?

  Well... MAC-address filter would work, but if you have alot to input, it can be a headache. ACL's I don't think will work, because users will get an ip from the guest network and then how can you know who has what address. Create a username password webauth page. The credentials can be changed each day or week depending.... and give this out to guest users to access the guest network. Now internal user can't access this unless the username password slips out. If you really want to make it tough, use GPO and push out the wireless policy and lock out the feature to add a wireless network.

• Mac-address access lists

  I have a single remote device attached to a 1700 sereis router. I need to ensure that if anyone disconnects the device, they can't easily plug anything elses in to the router and hence wanted to use a mac-adddress access list.
  I have created an access list as follows:
  access-list 700 permit xxxx.xxxx.xxxx 0000.0000.0000, but there appears to be no way to add this to the Fa0 interface on the router.
  Can anyone confirm if this is possible on a router or does this only work on a switch?

  No, its the Ethernet local LAN interface of a routed link so no bridging going on.
  Config below:
  interface FastEthernet0
  description Mufulira Post Office Post Office LAN
  ip address xxx.xxx.xxx.xxx 255.255.255.248
  ip access-group 120 in
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  no ip mroute-cache
  speed auto
  full-duplex
  no cdp enable
  IP access lst 120 defines just a single host allowed in to a group of servers.
  I'm having to tie everything down as much as possible as its for a remote ATM on the end of a Wireless backhaul link and our Risk people are trying to insist that we use mac address security as well. I am already running a GRE tunnel and IPSec 3DES over the routed portion of the link.

• Simple SSH Access-List Question

  I am enabling SSH access for all of our Cisco devices and want to restrict access to just the following ip addresses: 192.168.200.1-192.168.200.50.  I forgot the exact access-list configuration to accomplish this.  The subnet is /24 and I don't want the whole subnet - just .1 - .50.
  Thank you,
  Thomas Reiling

  Hi there,
  If using ssh make sure you have a domain name, host name and a generated rsa key.  Assuing you've done that, the the following ACL and line vty command will do the trick.  Note that the 1-50 host list is not on a subnet barrier.
  To get it exactly
  access-list 1 remark ALLOW MANAGEMENT
  access-list 1 permit 192.168.200.0 0.0.0.31
  access-list 1 permit 192.168.200.32 0.0.0.15
  access-list 1 permit 192.168.200.48 0.0.0.1
  access-list 1 host 192.168.200.50
  access-list 1 deny any log
  It would be a good idea to put it on a boundary though, so the following would be much more simpler and easier to read.
  access-list 1 remark ALLOW MANAGEMENT
  access-list 1 permit 192.168.200.0 0.0.0.63
  access-list 1 deny   any log
  Apply the access-class on the vty lines and depending on authentication, i'd put something there too.
  line vty 0 4
  access-class 1 in
  transport input ssh
  password blahblah
  That ought to do it.
  good luck!
  Brad

• ASR 5000 access list for ssh and telnet

  Dears,
  how can we  apply an access list for telnet and ssh on asr 5k ?
  please advise if this is feasible.
  thx.

  Hello Joseph,
  Sorry for the delay in response.
  To control access to ASR5000 via telnet, other than configuring an ACL, there is a way to disable telnetd by configuring local context.
  For example:
  config
  context local
  no server telnetd
  #exit
  System Administration Guide of the relevant version will give you detailed information in this regard.
  Here is the latest system admin guide (for SW version 17): http://www.cisco.com/c/dam/en/us/td/docs/wireless/asr_5000/17-0/PDF/17-ASR5000-Sys-Admin.pdf
  You can find other guides here:  http://www.cisco.com/c/en/us/support/wireless/asr-5000-series/products-installation-and-configuration-guides-list.html
  Hope this helps..
  Regards
  Aneesh