Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4430
Views
0
Helpful
6
Replies

IP access-group with MAC filtering

Go to solution
christoph.ehret
Level 1
Level 1

‎04-15-2005 01:32 PM

Hi,

I read somewhere that "ip access-group" can only be used with ACL numbers between 1 to 199 or from 1300 to 2699. Is it impossible to add an ACL with MAC filtering to ip access-group, as I have to use an ACL number between 700-799 or 1100-1199 for MAC filtering rules ?

Or does it exists another solution to add MAC filtering capabilities to an interface using "ip access-group" ?

Thanks

Chris

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Keyan
Level 1
Level 1
In response to christoph.ehret

‎04-21-2005 10:58 AM

It looks like MAC access lists can only be applied to switch ports, not to routed interfaces. On a 3750 I was testing this on I could not apply a MAC ACL if the port was in routing mode. It worked only if it was on switchport mode. If this device is purely a router, which it looks like it is, you will need to create a MAC access list on another switch port to block.

One possible solution is to use the next device in the line. For example, if this is an edge router, you could have the internal switch that it connects to do the MAC filtering on the switch's switchport.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
dan-miley
Level 1
Level 1

‎04-18-2005 07:26 AM

Chris,

you could put 2 seperate acls on seperate ports.

access list "in" (probably the mac ACL inbound).

access list (IP ACL) "out" the downstream port.

What exactly are you trying to do?

Dan

0 Helpful

Go to solution
christoph.ehret
Level 1
Level 1
In response to dan-miley

‎04-19-2005 04:59 AM

Dan,

Is it actually impossible to filter on the same port MAC and TCP ? I mean that it is not possible to put in the same set of rules a rule that is filtering a MAC address and some others that filters TCP ?

Because, if I have to put an access-group to an interface, I can only specify one as in or out. Do you see what I mean ?

Thanks

Chris

0 Helpful

Go to solution
dan-miley
Level 1
Level 1
In response to christoph.ehret

‎04-19-2005 06:49 AM

and again Chris,

What exactly are you trying to do?

You're letting us know what your solution is without us knowing what problem you're trying to solve...

here's the guidelines from cisco about access-lists:

http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800ca7c0.html#wp1000943

Here's the configuration guides (look for your IOS version):

http://www.google.com/search?sourceid=navclient&ie=UTF-8&rls=GGLD,GGLD:2005-09,GGLD:en&q=site%3Awww%2Ecisco%2Ecom+Cisco+IOS+configuration+guides

Dan

0 Helpful

Go to solution
christoph.ehret
Level 1
Level 1
In response to dan-miley

‎04-21-2005 01:24 AM

Hi Dan,

Ok, I should have given an example earlier, sorry.

!-----------------------------------------------

!Begin of example

!Here the Interface on which to apply the acl

interface Ethernet1

ip address dhcp client-id Ethernet1

ip access-group 111 in

ip nat outside

ip inspect myfw out

duplex auto

no cdp enable

!Here the ACL

access-list 111 permit tcp any any eq telnet

access-list 111 permit icmp any any administratively-prohibited

access-list 111 permit icmp any any echo

access-list 111 permit icmp any any echo-reply

access-list 111 permit icmp any any packet-too-big

access-list 111 permit icmp any any time-exceeded

access-list 111 permit icmp any any traceroute

access-list 111 permit icmp any any unreachable

access-list 111 permit udp any eq bootps any eq bootpc

access-list 111 permit udp any eq bootps any eq bootps

access-list 111 permit udp any eq domain any

access-list 111 permit esp any any

access-list 111 permit udp any any eq isakmp

access-list 111 permit udp any any eq 10000

access-list 111 permit tcp any any eq 1723

access-list 111 permit tcp any any eq 139

access-list 111 permit udp any any eq netbios-ns

access-list 111 permit udp any any eq netbios-dgm

access-list 111 permit gre any any

access-list 111 deny ip any any

!End of example

!----------------------------------------------------

How can I now add a filtering rule, also for inbound traffic, that filters MAC addresses as I have to use another acl number than 111 for that (or have I missed something ? ). Or any other way to do it ?

I hope, that it is now clear what I actually try to do.

Thanks for your help.

Chris

0 Helpful

Go to solution
Keyan
Level 1
Level 1
In response to christoph.ehret

‎04-21-2005 10:58 AM

It looks like MAC access lists can only be applied to switch ports, not to routed interfaces. On a 3750 I was testing this on I could not apply a MAC ACL if the port was in routing mode. It worked only if it was on switchport mode. If this device is purely a router, which it looks like it is, you will need to create a MAC access list on another switch port to block.

One possible solution is to use the next device in the line. For example, if this is an edge router, you could have the internal switch that it connects to do the MAC filtering on the switch's switchport.

0 Helpful

Go to solution
christoph.ehret
Level 1
Level 1
In response to Keyan

‎04-22-2005 12:29 AM

Ok, thank you very much for your answer.

Chris

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card