Deny All MAC's (Router) except for permit?

I want to block my LAN interface from having other devices plugged into it.

Meaning, I only want 3 devices (1 firewall, 2 backup ciscos) to ever work in that port. This is a router ethernet interface, a 2821.

Would the config below work?

/

config terminal
bridge irb
bridge 1 protocol ieee
bridge 1 route ip
int GigabitEthernet0/1
no ip address
bridge-group 1 {input-address-list 700 | output-address-list 700}
exit
int bvi1
10.10.3.1
exit

:
access-list 700 deny 0000.0000.0000 ffff.ffff.ffff
access-list 700 permit c0ea.e418.7cca 0000.0000.0000
access-list 700 permit 0015.63c2.e7b1 0000.0000.0000
access-list 700 permit 0015.63c2.e7b0 0000.0000.0000

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

al3kt.R***

Have a look at this post https://supportforums.cisco.com/thread/10673
it will give you enough clues to follow.

Your config seems ok at first BUT watch it for the order in your MAC-ACL, I fear you are effectively denying everything m8. First put the permitted MACs, then the explicit deny ALL

!!!
In addition, I believe, for your requirements, you only need input-address-list and not the output one.

darkerz

Ouch, that order is pretty important, ACL perm and deny rules 101, D'Oh!

Glad I held off and decided to lab it today.

Any other insights?

Also, thank you for the link. Bookmarked.

al3kt.R***

Hello again m8.

Why don't you try a different approach that will ease up things provided that you can find and use a small (eg. 8port or 5port) switch and employ port security features on its ports, effectively allowing only the MAC addresses you 'd like on every port. Remember to allow one port for your 2821 and configure its MAC statically in this port's port security with maximum_allowed_MACs=1. The same you do with your other 3 devices either allowing 3 MACs per port (so that ports are interchangeable between your devices) and only those or allowing them on a 1-MAC-per-port basis and only this MAC allowed.

Cheers my friend and good luck with your scenario!!!

PS: MAC security is easily beatable (MAC spoofing/changing is relatively easy for any given device and by users of mainstream capabilities)