Hi Everyone, I am having trouble getting our switches to accespt ssh connections, or any remote access, based off of mac addresses. Currently we have extended acl set that limits IP address access. The only thing with this is that we have to remote into our desktops just to access site switches, even when we are onsite. So I was looking up how to create acl based on mac address, rather than IP since each site has a different subnet. I could not find any documentation on this. Does this mean it is not possible? If you can point me in the right direction I would appreciate it. Thank You.
Oh thank you @MHM Cisco World . I can static my desktop easily. as it is not mobile. But I cannot static my Laptop ipv4 address. We have 7 sites all with different subnets for WIFI. If I did static the laptop, I would not have access to other sites as the Core Router at each site will only see its assigned subnet. IE if I static to one school subnet, I will not be routable at another school since it does not recognize the address. This is how it was created long before our department received laptops. Does that make sense? Do you know of any other way to secure access for the laptop>?
Mac acl in your network not help you'
The IP will preserve same all patg except case there is NATing
Mac add is change from one l3 to other. So mac acl is not right solution.
What I think is using l2tp and connect to edge router via public ip and then use l2tp private ip for ssh to sw's, this private IP is always use and can use in ACL.
If you have the option of using a jumpbox, you can limit the ACL on your mgmt vlan or mgmt interface to this IP and maybe a fallback subnet or IP just in case your jump box is down.
We have similar and went as ahollifield suggested and made admin vlans and just have them in the ACL. We only have 2 sites that admins are at and remotely we just use a console cable, but can be done either way. A bit of work making admin vlans and rules to put you on them, but once it's set up will be a lot easier in the long run.