cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7092
Views
0
Helpful
19
Replies

block mac based system to access internet

Amit23
Level 4
Level 4

I have a netwokr in which users are getting ip address from DHCP server that is window server.

i want to block some users to access interent by using their device mac address.

i have these devices in my network...

2921 cisco cme router

cisco 2960 switches

cisco 892 cisco internet router

internet ADSL that cnnected with cisco 892...

wireless AP 1142...

i have no firewall or any asa...

please tell how can i block some users for accessing internet but they can access internal network...

for file sharing and prinitng,...

Warm Regard's
Amit Sahrma
19 Replies 19

That's not that easy to achieve ...

If there are not that many devices that need this special treatment, then I would go the following way:

1) On your DHCP-server configure a reservation for these devices so that they get an IP from a reserved IP-range (allign the range on subnet-boundaries).

2) On your Internet-Router, configure an ACL that denies the traffic from this range to the internet or even completely (as desired).

This will only work if your users are not so savvy to change their MAC-addresses to something that is not in your reserved DHCP-Pool.

The technically better way could be to deploy port-based authentication (802.1x) based on MAC-addresses. But that is more complex then the DHCP-solution.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

how cna i reserve my mac with specified ip address of dhcp pool...and how then block that reserve address for accessing internet?

Warm Regard's
Amit Sahrma

Here your example an an idea more well documented (easy documented )

http://cauew.blogspot.ie/2008/08/vacl-vlan-maps-mac-acl.html

Alessio

I don't think that the 2960 supports VACLs ...

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Hi Karsten,

MAC filter was the idea and that can be applied. However, that is what Peter found out some time ago:

https://supportforums.cisco.com/thread/2095823

Alessio

Hello Alessio,

You have quite an overview! Yes, indeed - the 2960 Catalysts appear to unofficially support VACLs with the most recent IOS versions. I haven't had any more word from Cisco on that but I guess that once they got it running, they're probably not going to throw this functionality away.

Blocking IP traffic based on MAC addresses is generally difficult on recent Catalyst switches. This is because a MAC ACL applies only to non-IP traffic. In other words, you can not use MAC ACL to filter frames that carry IP packets. This is valid for 2960, 3560 and higher switches. Older switches behaved differently, e.g. the 2950 switch was capable of filtering even IP traffic by a MAC ACL. However, because Sharma has a 2960 switch, the MAC ACLs or VACLs are not an option for him to filter IP traffic based on MAC ACLs.

Remember that if you will filter these guys in order to access the internet, possibly the ACL direction should be out:

ip access-group acl_number out

Ummm, this would not work, sadly, because of two reasons:

  • You cannot refer to a MAC ACL using the ip access-group command. You need to use the mac access-group instead.
  • Low-end Catalysts like 2960 support only the in direction for port ACLs. The out direction is not available

I do not think that the router supports MAC ACLs at all.

In my personal opinion, the correct solution should be:

  • Assign all IP addresses from the DHCP server based on clients' MAC addresses (a static binding on the DHCP server making sure that a single MAC address always gets the same IP address)
  • On the 2960, use the DHCP Snooping, Dynamic ARP Inspection and IP Source Guard to prevent stations from stealing and/or spoofing their IPs or MAC addresses.
  • Perform further filtering based on IP addresses, as the steps above will ensure a 1:1 IP:MAC mapping.

Would this be an acceptable solution for you, Sharma?

Best regards,

Peter

Dear frds...

is it any other way that can use for block these mac address based users to access internet....?

Warm Regard's
Amit Sahrma

You want more possibilities? 

1) What about forcing the users to access the internet through a proxy and authenticate them there? That will help if you want to restrict certain users from accessing the internet and not only users of particular PCs.

2) If you have a flat network, you could remove the default-gateway from the machines that shouldn't go to the internet.

Both solutions can only work if your users don't have admin-rights on their PCs.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Dear Guys...

I don't have prosy in my network.....

So if i remove the gateway from my end user pc it will able to access to other system and internal resurces within the network?

if not then how can i go for this issue?

if i assigned ip from DHCP and exclude ffrom DHCP those address...after that apply ACL for block those address to go internet...

would be this work and where to apply and define ACL?

Warm Regard's
Amit Sahrma

So if i remove the gateway from my end user pc it will able to access to other system and internal resurces within the network?

Only the ressources in their own subnet. In your config there are two static routes to networks 172.16.0.0 and 172.16.110.0. For theses Networks the PCs would also need static routes.

if i assigned ip from DHCP and exclude ffrom DHCP those address...after that apply ACL for block those address to go internet...

would be this work and where to apply and define ACL?

Lets assume your restricted users all get IPs in the Range 172.16.100.225-172.16.100.254. Then your router-config needs this addition:

object-group network RFC1918

  10.0.0.0 255.0.0.0

  172.16.0.0 255.240.0.0

  192.168.0.0 255.255.0.0

ip access-list extended INTERNAL-IN

  permit ip any object-group RFC1918

  deny ip 172.16.100.224 0.0.0.31 any

  permit ip any any

interface Vlan100

  ip access-group INTERNAL-IN in

With this config all traffic entering your router on the inside interface is filtered by the ACL INTERNAL-IN. If you later add another internal subnet or VPN to your router, these will probably use IPs from the RFC1918-range, so that traffic is allowed. Then the restricted PCs are not allowed to go anywhere. The rest is again allowed.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Dear Sir,

I have aroudn 10-20 users in rnage of 172.16.100.0/24 subnet...

i don't want to block all users...but limited users...as

172.16.100.50

51

55

80

90

110

134

155

188

like these ip address need to block for internet but not to block internal netwokr access with other devices as printer file server and other systems...

how can do for this solution?

Warm Regard's
Amit Sahrma

You have to give these users a reserved IP in the given range. Or in any range you want. Then you have to adjust the ACL.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

ok sir!

but if i gave them the ip address in same range as..

172.16.100.50-70/24

then can i apply ACL as you mentioned above message?

thanks

Warm Regard's
Amit Sahrma

Then your ACL has to be written in a different way which is less flexible if you later add other networking-devices to your network:

object-group network RFC1918

  10.0.0.0 255.0.0.0

  172.16.0.0 255.240.0.0

  192.168.0.0 255.255.0.0

object-group network NO-INTERNET

  range 172.16.100.50 172.16.100.70

ip access-list extended INTERNAL-IN

  permit ip any object-group RFC1918

  deny ip object-group NO-INTERNET any

  permit ip any any

interface Vlan100

  ip access-group INTERNAL-IN in

It's better to have the reserved addresses on a subnet-boundary (.32-.63 or 64-91 or something like that.)

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Review Cisco Networking for a $25 gift card