Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1121
Views
5
Helpful
6
Replies

Block internet access on a 1921 router using the mac address

cyberhunt
Level 1
Level 1

‎03-19-2019 02:20 AM

How can I block someone's internet access using the mac address, I only want to block internet access and let all other traffic pass through. Or can I use some sort of a ACL.

 

Thank you in advance.

Labels:
0 Helpful
6 Replies 6

Seb Rupik
VIP Alumni
VIP Alumni

‎03-19-2019 02:46 AM

Hi there,

You can't use a Layer2 address as a component in a Layer3 ACL.

 

Your best option is to create a DHCP reservation for the MAC address, and create a Layer3 ACL to block internet access for that IP address.

Combine this with DHCP snooping and DAI to stop the user(s) from manually setting their IP addresses to circumvent your ACL.

 

cheers,

Seb.

0 Helpful

cyberhunt
Level 1
Level 1
In response to Seb Rupik

‎03-19-2019 05:55 AM

Hi,

 

Can you maybe tell me how to do that, everything you mention.

 

I also do have a layer3 switch where everything connects to and my switch connect to my router who receive the internet connection and distribute it to my network.

0 Helpful

Seb Rupik
VIP Alumni
VIP Alumni
In response to cyberhunt

‎03-19-2019 07:08 AM

It is easier to setup DHCP reservations using a proper DHCP server than a router but the STATIC pool method below should work.

The below has been thoroughly tested in notepad, so your millage may vary!:

 

!! ROUTER
!
ip dhcp pool LAN01
  network 192.168.1.0 255.255.255.0
  domain-name example.com
  default-router 192.168.1.254
!
ip dhcp pool STATIC
  host 192.168.1.100
  hardware-address aaaa.bbbb.cccc
  host 192.168.1.101
  hardware-address dddd.eeee.ffff
!
ip dhcp excluded-address 192.168.1.254
!
ip access-list ext BLOCK_TO_INTERNET
  ip deny host 192.168.1.100 any
  ip deny host 192.168.1.101 any
!
int gi0/0
  desc TO_THE_INTERNET
  ip access-group BLOCK_TO_INTERNET out
!
int gi0/1
  desc TO_THE_SWITCH
  no shut
!
int gi0/1.10
  encap dot1q 10
  ip address 192.168.1.254 255.255.255.0
!
!! SWITCH
!
vlan 10
  name LAN01
!
ip dhcp snooping
ip dhcp snooping vlan 10
!
int gi0/1
  desc TO_THE_ROUTER
  switchport mode trunk
  switchport trunk allowed vlan 10
  ip dhcp snooping trust
!
int gi0/2
  desc USER_PORT
  switchport mode access
  switchport access vlan 10
  spanning-tree portfast
  ip verify source
!

Please share the config of your router to get a better fit.

 

cheers,

Seb.

0 Helpful

Deepak Kumar
VIP Alumni
VIP Alumni
In response to Seb Rupik

‎03-20-2019 12:24 AM

Hi,

I want to add something which is missing in the ACL configuration as

ip access-list ext BLOCK_TO_INTERNET
 5 ip deny host 192.168.1.100 any
 6 ip deny host 192.168.1.101 any
100 Permit ip any any

 

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Seb Rupik
VIP Alumni
VIP Alumni
In response to Deepak Kumar

‎03-20-2019 12:44 AM

aye @Deepak Kumar , right you are! ;)

0 Helpful

Deepak Kumar
VIP Alumni
VIP Alumni

‎03-19-2019 03:48 AM

Hi,

First, share your network topology. Based on the topology I can guide you that you can block internet access or not. 

 

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card