I went through ASA documentation, there is "mac-list" configuration command to configure mac address access list.
Refer to the link:
under the topic of "Using MAC Addresses to Exempt Traffic from Authentication and Authorization".
This seems like the MAC Address configured is used for Authentication and Authorization exemption.
Actually, my main purpose is to configure MAC address access rule and apply to ASA 5500 series firewall. As such, I have questions below and need anybody know about MAC Address access rules on ASA 5500 series can help:
1. Can the above MAC Address command mac-list can be used to configure MAC Address list and apply in the firewall interface as same as IP address, like "access-group mac-list in interface outside"?
2. When the firewall in routed mode, Can the MAC Address access list and rule applying be used and how to configure to use?
3. If firewall only in transparent mode then can to do the MAC Address access list and rule applying, then how to do the configuration?
The mac-list can only be used for AAA.
The ASA cannot block by mac address in router mode.
In transparent mode I think the only option is ethertype ACLs:
Remember to rate useful posts.
Thanks to your reply!
I refer to the link you provided, for example, if I want to allow only MAC address of a host 00-10-18-18-c3-32 (MAC address is a 12 bits Hexadecimal) from Outside to Inside, can below two CLI work? Please advise.
(config)#access-list MAC1 ethertype permit 0x00101818c332 any
(config)#access-group MAC1 in interface Outside
Hi Felipe and all:
Thanks to your reply!
Just think of one way to do the MAC address access control in Transparent firewall may be is by using ARP and ARP-INSPECTION.
By using these two commands to match IP to a MAC Address so that that IP can act on behalf of that particular MAC Address for the purpose of configuration of IP Address access rule.
Is it this is an alternative way of doing MAC Address access control? Anybody can advise or suggest any way? Thanks!
On the way of trying the Transparent Firewall, I found one question here and need some advise.
There is multiple BVI interfaces in different IP subnets can be set in the Transparent Firewall. The problem is Transparent Firewall always implements in one subnet. Then what is the purpose of doing multiple BVI in a Transparent Firewall, can anybody help to explain the purpose? Many thanks!