Deny All MAC's (Router) except for permit?
I want to block my LAN interface from having other devices plugged into it.
Meaning, I only want 3 devices (1 firewall, 2 backup ciscos) to ever work in that port. This is a router ethernet interface, a 2821.
Would the config below work?
/
config terminal
bridge irb
bridge 1 protocol ieee
bridge 1 route ip
int GigabitEthernet0/1
no ip address
bridge-group 1 {input-address-list 700 | output-address-list 700}
exit
int bvi1
10.10.3.1
exit:
access-list 700 deny 0000.0000.0000 ffff.ffff.ffff
access-list 700 permit c0ea.e418.7cca 0000.0000.0000
access-list 700 permit 0015.63c2.e7b1 0000.0000.0000
access-list 700 permit 0015.63c2.e7b0 0000.0000.0000
Meaning, I only want 3 devices (1 firewall, 2 backup ciscos) to ever work in that port. This is a router ethernet interface, a 2821.
Would the config below work?
/
config terminal
bridge irb
bridge 1 protocol ieee
bridge 1 route ip
int GigabitEthernet0/1
no ip address
bridge-group 1 {input-address-list 700 | output-address-list 700}
exit
int bvi1
10.10.3.1
exit:
access-list 700 deny 0000.0000.0000 ffff.ffff.ffff
access-list 700 permit c0ea.e418.7cca 0000.0000.0000
access-list 700 permit 0015.63c2.e7b1 0000.0000.0000
access-list 700 permit 0015.63c2.e7b0 0000.0000.0000
:twisted:
Comments
-
al3kt.R*** Member Posts: 118Have a look at this post https://supportforums.cisco.com/thread/10673
it will give you enough clues to follow.
Your config seems ok at first BUT watch it for the order in your MAC-ACL, I fear you are effectively denying everything m8. First put the permitted MACs, then the explicit deny ALL !!!
In addition, I believe, for your requirements, you only need input-address-list and not the output one."Tigranes: Good heavens! Mardonius, what kind of men have brought us to fight against? Men who do not compete for possessions, but for honour."--- Herodotus, The Histories
"Nipson anomemata me monan opsin"--- Gregory of Nazianzus
"Bruce Schneier's secure handshake is so strong, you won't be able to exchange keys with anyone else for days."--- Bruce Schneier Facts -
darkerz Member Posts: 431 ■■■■□□□□□□Ouch, that order is pretty important, ACL perm and deny rules 101, D'Oh!
Glad I held off and decided to lab it today.
Any other insights?
Also, thank you for the link. Bookmarked.:twisted: -
al3kt.R*** Member Posts: 118Hello again m8.
Why don't you try a different approach that will ease up things provided that you can find and use a small (eg. 8port or 5port) switch and employ port security features on its ports, effectively allowing only the MAC addresses you 'd like on every port. Remember to allow one port for your 2821 and configure its MAC statically in this port's port security with maximum_allowed_MACs=1. The same you do with your other 3 devices either allowing 3 MACs per port (so that ports are interchangeable between your devices) and only those or allowing them on a 1-MAC-per-port basis and only this MAC allowed.
Cheers my friend and good luck with your scenario!!!
PS: MAC security is easily beatable (MAC spoofing/changing is relatively easy for any given device and by users of mainstream capabilities)"Tigranes: Good heavens! Mardonius, what kind of men have brought us to fight against? Men who do not compete for possessions, but for honour."--- Herodotus, The Histories
"Nipson anomemata me monan opsin"--- Gregory of Nazianzus
"Bruce Schneier's secure handshake is so strong, you won't be able to exchange keys with anyone else for days."--- Bruce Schneier Facts