Cisco Access List question

Discussion in 'OT Technology' started by Maffy29, Mar 19, 2009.

  1. Maffy29

    Maffy29 Active Member

    Joined:
    Jan 5, 2004
    Messages:
    7,799
    Likes Received:
    6
    Location:
    Pittsburgh, PA
    So I'm programming a Cisco 871 for a small network I am a part of. The users would like to only allow their MAC addresses to connect, thus denying everybody else. I think I found what I'm looking for, but I have a question. The example I found was for blocking specific MAC addresses. Can I reverse that example and have it allow only specific MAC addresses and end with a deny any any?
     
  2. Vito_Corleone

    Vito_Corleone New Member

    Joined:
    Oct 12, 2003
    Messages:
    29,356
    Likes Received:
    0
    Location:
    Tampa, FL
  3. Maffy29

    Maffy29 Active Member

    Joined:
    Jan 5, 2004
    Messages:
    7,799
    Likes Received:
    6
    Location:
    Pittsburgh, PA
    Awesome. Thanks!
     
  4. Maffy29

    Maffy29 Active Member

    Joined:
    Jan 5, 2004
    Messages:
    7,799
    Likes Received:
    6
    Location:
    Pittsburgh, PA
    OK, so this didn't work. One of the commands (I forget which) wasn't compatible with my 871 router.

    I am trying to find a solution to lock down access to a list of 23 MAC addresses. Everything I am finding is for a Cisco switch and not a router, at least not my router. The command "switchport" isn't supported either. Anybody know another way I can do this?
     
  5. 7960

    7960 New Member

    Joined:
    Oct 17, 2004
    Messages:
    60,415
    Likes Received:
    0
    Location:
    New England
  6. Vito_Corleone

    Vito_Corleone New Member

    Joined:
    Oct 12, 2003
    Messages:
    29,356
    Likes Received:
    0
    Location:
    Tampa, FL
    It would be helpful if you could post the commands you're using. Are you using "access-list 7xx..."? For MAC based stuff you have to use a numbered ACL (700-799) if there isn't a mac access-list command. Where are you applying the ACL?
     
  7. Maffy29

    Maffy29 Active Member

    Joined:
    Jan 5, 2004
    Messages:
    7,799
    Likes Received:
    6
    Location:
    Pittsburgh, PA
    There are actually two switches, but they aren't Cisco or anything like that. They are just cheap Netgear switches. I know port security would be way quicker.

    This network is a group of us here in Iraq that purchased a satellite dish and service. We just want to keep people out that haven't paid (somebody's roommate, etc). I know its not the most secure way to do it, but it will work for what we have.
     
  8. Maffy29

    Maffy29 Active Member

    Joined:
    Jan 5, 2004
    Messages:
    7,799
    Likes Received:
    6
    Location:
    Pittsburgh, PA
    I wasn't sure where to apply the access list. Is it on the outgoing port or on the Vlan1 that we created? Actually, the access-list commands would work, but wanted to see if there was something easier first.

    Thank you guys so much for helping!
     
  9. 7960

    7960 New Member

    Joined:
    Oct 17, 2004
    Messages:
    60,415
    Likes Received:
    0
    Location:
    New England
    the page I linked has specific examples. did you get the access list working?
     
  10. Maffy29

    Maffy29 Active Member

    Joined:
    Jan 5, 2004
    Messages:
    7,799
    Likes Received:
    6
    Location:
    Pittsburgh, PA
    Working on it right now. I'll update in a bit.
     
  11. Maffy29

    Maffy29 Active Member

    Joined:
    Jan 5, 2004
    Messages:
    7,799
    Likes Received:
    6
    Location:
    Pittsburgh, PA
    The access list took to the global config with no problems.

    Now I just need to apply it to the interface. On my router, the modem is plugged into interface FastEthernet4

    So in order to apply the access list, I will do something like this:

    config t
    int fa4
    ?

    What is next? The link says: dot11 association mac-list 700

    Is that the same thing I will put on mine?
     
  12. 7960

    7960 New Member

    Joined:
    Oct 17, 2004
    Messages:
    60,415
    Likes Received:
    0
    Location:
    New England
    what's your interface name?

    do a "show ip int brief" to see the name.
     
  13. Maffy29

    Maffy29 Active Member

    Joined:
    Jan 5, 2004
    Messages:
    7,799
    Likes Received:
    6
    Location:
    Pittsburgh, PA
    FastEthernet4 has the outgoing IP.

    Vlan1 is the DHCP Pool

    There is also an NVI0. Not sure what that is for...
     
  14. 7960

    7960 New Member

    Joined:
    Oct 17, 2004
    Messages:
    60,415
    Likes Received:
    0
    Location:
    New England
    sh run

    paste to notepad

    remove passwords, usernames, public IP addresses if you want.........then post.
     
  15. Maffy29

    Maffy29 Active Member

    Joined:
    Jan 5, 2004
    Messages:
    7,799
    Likes Received:
    6
    Location:
    Pittsburgh, PA
    There you go.
     
  16. Maffy29

    Maffy29 Active Member

    Joined:
    Jan 5, 2004
    Messages:
    7,799
    Likes Received:
    6
    Location:
    Pittsburgh, PA
    Bueler? Anybody?
     
  17. 7960

    7960 New Member

    Joined:
    Oct 17, 2004
    Messages:
    60,415
    Likes Received:
    0
    Location:
    New England
  18. Maffy29

    Maffy29 Active Member

    Joined:
    Jan 5, 2004
    Messages:
    7,799
    Likes Received:
    6
    Location:
    Pittsburgh, PA
    Yeah, I can get there. Thats not what it looks like though. I don't have an Aironet Access Point. I have a Cisco 871 router.
     
  19. 7960

    7960 New Member

    Joined:
    Oct 17, 2004
    Messages:
    60,415
    Likes Received:
    0
    Location:
    New England
    fuck. I'm batting 1000. SDM express comes pre-installed on an 871 so use that to configure it.

    all the info about sdm (you may benefit from reading all this)
    http://www.cisco.com/en/US/products...s_configuration_example09186a00808acf2f.shtml

    configure open with mac authentication (a subsection on that page)
    http://www.cisco.com/en/US/products...nfiguration_example09186a00808acf2f.shtml#mac
     
  20. Maffy29

    Maffy29 Active Member

    Joined:
    Jan 5, 2004
    Messages:
    7,799
    Likes Received:
    6
    Location:
    Pittsburgh, PA
    Nothing in this network is wireless. Will that make a difference?
     
  21. 7960

    7960 New Member

    Joined:
    Oct 17, 2004
    Messages:
    60,415
    Likes Received:
    0
    Location:
    New England
    sdm express can do it.



    how are you connecting 23 computers to an 871 without wireless or a switch? do you have a hub?
     
  22. Maffy29

    Maffy29 Active Member

    Joined:
    Jan 5, 2004
    Messages:
    7,799
    Likes Received:
    6
    Location:
    Pittsburgh, PA
    There are two hubs in the network.

    One guy here came up with some HP switch. I heard its programmable. Maybe it can do MAC filtering? I don't have any model numbers or anything yet.

    We are also considering turning off DHCP and going with static IPs and an access list for those.
     
  23. 7960

    7960 New Member

    Joined:
    Oct 17, 2004
    Messages:
    60,415
    Likes Received:
    0
    Location:
    New England
    sdm express can do it and comes pre-loaded on your 871. do it that way.
     
  24. Maffy29

    Maffy29 Active Member

    Joined:
    Jan 5, 2004
    Messages:
    7,799
    Likes Received:
    6
    Location:
    Pittsburgh, PA
    I have been all through the Cisco SDM (version 12,4) and have seen nothing of the sort. This was the first place I looked and found nothing for allowing only specific MAC addresses to have access. I'm sure its not in there, I would love to be proven wrong.

    I do appreciate everything you have done for me. I know there are tons of easier ways to do this, but I am making the best with what equipment we have to work with.
     
  25. 7960

    7960 New Member

    Joined:
    Oct 17, 2004
    Messages:
    60,415
    Likes Received:
    0
    Location:
    New England
    I'll check this out tomorrow. I have an 871 under my desk that I'll get running again and check.
     

Share This Page