Re: filtering traffic on a 2621 router

nielshollatz · ‎07-27-2006

Hi,

i'm doing some project for school and now i'm stuck...

(I study Network Infrastructure Design in the Netherlands)

I'm trying to control who may gain access to my network and who not using a 2621Router and two catalyst switches (2924 and 3524XL).

Macfiltering using portsecurity on the switch seemed nice but unfortunately this works only if only one computer is connected to one port. however in my scenario there is a switch (which isn't cisco) connected to a port where multiple users are behind (say 4).

Another option is using dhcp with leases binded to macaddresses, but an ip address is to easy to setup manual on a pc.

Is there a way to control on the router (so not on the switch) which macaddress may be routed? Or some simple program which does the same as URT with userauthentication based on macaddress.

I hope my question is clear, it's hard to explain what i want, cause i don't know it myself for 100%

Thanks,

Niels

jackyoung · ‎07-27-2006

I believe you can configure the access-list by using Ethernet access to filter or block the unwanted MAC address.

Check this link.

http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800ca7c0.html

Hope this helps.

nielshollatz · ‎07-27-2006

thank you,

i think this could be it, i tried to configure the acl but at the moment i want to bind the acl to the interface (ip access-group) i can't define acl 1100 nor 700. just the usual 1-199 (ip standard and extended) and 1300-2699 (ip expanded)

what's the trick to bind an Extended 48-bit MAC address access list to an interface?

lgijssel · ‎07-27-2006

Hello Niels,

You could revert to the more administrative trics.

For example: you can limit the absolute number of hosts on a subnet that are able to pass the router by using an acl. This would require everyone to request access from you.

In that way, you will always be able to control which pc's are able to pass the router.

A variation on this could be to allow limited access to non registered users using an acl also. Of course the exact implementation would depend on the resources that you want to control.

btw: Op welke school studeer je?

groeten,

Leo

nielshollatz · ‎07-27-2006

i think Extended 48-bit MAC address access list is exactly what i need, cause i can registrate all mac-addresses which are allowed to be routed over the network in the acl, and if not matched, the packets will be dropped.

ik studeer op de Hogeschool Zuyd in Heerlen

jackyoung · ‎07-27-2006

Can you configure the extended access-list ? If still cannot, I susupect it may be the IOS feature set. I am sorry that I don't have access of the release note at the moment, so I cannot verify it. If you already using Plus or higher feature set, it may be another issue.

Please advise your IOS feature set.

nielshollatz · ‎07-27-2006

Yes i am able to configure the list, only when i go to the interface i can choose out the following:

Router(config-if)#ip access-group ?

<1-199> IP access list (standard or extended)

<1300-2699> IP expanded access list (standard or extended)

WORD Access-list name

My created acl has the number 1100 since that is the Extended 48-bit MAC address access list. (as shown below)

Router(config)#access-list ?

<1-99> IP standard access list

<100-199> IP extended access list

<1000-1099> IPX SAP access list

<1100-1199> Extended 48-bit MAC address access list

<1200-1299> IPX summary address access list

<1300-1999> IP standard access list (expanded range)

<200-299> Protocol type-code access list

<2000-2699> IP extended access list (expanded range)

<300-399> DECnet access list

<600-699> Appletalk access list

<700-799> 48-bit MAC address access list

<800-899> IPX standard access list

<900-999> IPX extended access list

rate-limit Simple rate-limit specific access list

My IOS version:

IOS (tm) C2600 Software (C2600-D-M), Version 12.0(7)T, RELEASE SOFTWARE (fc2)

jackyoung · ‎07-27-2006

IC. You can configure the ACL but not able to apply to the interface. Is it not Ethernet interface ? Can you try to apply the ACL in Ethernet interface ?

nielshollatz · ‎07-27-2006

exactly,

the interface i'm trying to bind is an FastEthernet (0/1), so that should not be a problem.

when trying to bind i get the error:

Router(config-if)#ip access-group 1101 out

% Invalid access list name.

but a named acl is not an option for me, cause you cannot filter on macaddresses via an extended ip acl.

Can anyone tell how to apply a 700 or 1100 acl to an FastEthernet interface? since i can only choose out the following:

Router(config-if)#ip access-group ?

<1-199> IP access list (standard or extended)

<1300-2699> IP expanded access list (standard or extended)

WORD Access-list name

thomuff · ‎07-27-2006

Would policy based routing work in this scenario?

Check this link out

http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800bd909.html#1020641

thomuff · ‎07-27-2006

I have found an example of a access list 1101. It looks like you configure directly on the interface

interface ethernet 0

bridge-group 3 output-pattern 1102

access-list 1101 permit 0000.0000.0000 ffff.ffff.ffff 0000.0000.0000 ffff.ffff.ffff

Bridged protocols on Ethernet0/3:

clns decnet vines apollo\

Here is the link:

http://www.cisco.com/en/US/products/sw/iosswrel/ps1828/products_command_reference_chapter09186a00800ca562.html#1017388

nielshollatz · ‎07-27-2006

unfortunate the command "access-list" is not known when configuring an interface.

And "ip access-group" won't let me configure acl's other than ip-standard and extended.

i've searched in my cisco books, and in the ccna2 companion guide is nothing mentioned about mac acl's.

I can setup a linux server which acts as a gateway and dropping packets from unknown sources... but i rather control this in the router.

So far thank you for your help and if you have another suggestion i love to hear from you.

I prefer not to use QoS on this router.

thanks,

niels

nielshollatz · ‎07-27-2006

or i can alter the dhcp config in such way that users who aren't known by me (so unknown mac-addresses), will get an ip in a range which can be denied using an ip acl. known users get an ip in another range.

however: the downside is it can be fooled by just taking an ip-address in the right subnet.

jackyoung · ‎07-27-2006

Please try to use "access-class" in the interface. Sorry I can't verify and no router on hand.

http://www.cisco.com/en/US/products/sw/iosswrel/ps5187/products_command_reference_chapter09186a008017d1d4.html

I recommend to keep it simple for ease of management, troubleshoot and minimize additional problem.

Hope this helps.

nielshollatz · ‎09-03-2006

okay i fixed it using a 2621 router.

I configured the router as a transparent bridge, which enables me to filter on ethernet addresses.

i will post in a few outlines what i did, so i may help someone who is looking for the same solution:

-first make sure you have disabled ip routing:

router(conf)#no ip routing

-define a bridge group with the proper protocol:

router(conf)#bridge 1 protocol ieee

-bind the bridge group on the two interfaces:

router(config-if)#bridge-group 1

now you have a transparent bridge, all that is left is to define the proper acl, (replace the #### for an mac-address):

router(conf)#access-list 700 permit ####.####.#### 0000.0000.0000

And bind it to both interfaces:

router(config-if)#bridge-group 1 input-address-list 700

thanks for your help, hope someone may find this usefull