09-04-2012 12:56 PM - edited 03-04-2019 05:28 PM
I have a router 2811 that it's configured with VPN remote access and I'm trying to block clients based on their MAC address, I tried configuring
access interface as routing/bridging, configured an ACL 750 for 48-bit MAC address access list and enable "bridge-group 1 input-address-list 750" command on bridged interface, but the only match I got when VPN clients access the LAN is from router interface.
Internet(VPN) ---> Router1 (FE 0/1) ---> Router1 (FE 0/0) --> Router2 (FE 0/0) --> Router2 (FE 0/1) --> LAN
I tried configuring on Router1 (FE 0/0) interface and also on Router2 (FE 0/0) interface with same behaviour. Router2 is used for internal NAT.
bridge irb
bridge 1 protocol ieee
bridge 1 route ip
access-list 750 permit d067.e547.83ea <-- My PC MAC Address
access-list 750 permit 001d.a2d0.4810 <-- Interface router MAC Address (All matches here)
access-list 750 deny 0000.0000.0000 ffff.ffff.ffff
interface FastEthernet0/0
no ip address
bridge-group 1
bridge-group 1 spanning-disabled
bridge-group 1 input-address-list 750
interface BVI1
ip address 192.168.137.1 255.255.255.252
ip nat inside
Any ideas that could help to get a solution for this, it will be great.
Thanks,
Solved! Go to Solution.
09-04-2012 02:51 PM
Hello Juan Carlos,
MAC addresses are easily spoofed. Basing the security policy on MAC addresses is not a good idea in my opinion, as it does not provide any real increase in security.
I think that a possible way would be to use certificates issued for either users or PCs. However, I am not experienced enough with that. You should probably ask this question in the Security/VPN section - it is my sincere hope that the experts in that section will be able to help you better.
Best regards,
Peter
09-04-2012 01:34 PM
Hello,
I am afraid it is not possible to filter VPN clients based on their MAC address if this is what you are trying to accomplish. The reason is fairly simple - in IPsec or SSL VPN, only IP packets are tunneled and encrypted, not entire Ethernet frames. Therefore, the filtering you have configured can not see the clients' MAC addresses and has nothing to act upon.
Is there any particular need for filtering the clients based on their MAC?
Best regards,
Peter
09-04-2012 02:21 PM
Hello Peter,
Thanks for your detailed answer, that are bad news for my requirement. Our customer needs to implement this policy cause their business needs the highest security that the one who is login in via VPN client is an authorized user and PC, is a limited access to a server only from specific users and MAC address.
Any other idea how can I solve this??
Thanks again,
Juan Carlos
09-04-2012 02:51 PM
Hello Juan Carlos,
MAC addresses are easily spoofed. Basing the security policy on MAC addresses is not a good idea in my opinion, as it does not provide any real increase in security.
I think that a possible way would be to use certificates issued for either users or PCs. However, I am not experienced enough with that. You should probably ask this question in the Security/VPN section - it is my sincere hope that the experts in that section will be able to help you better.
Best regards,
Peter
09-04-2012 03:25 PM
Ok Peter, you're right, I agree with you, certificates is the best way to do this, I'll have to read about it, I just wanted to make a try, it didn't work but I had learn something new today.
Thanks,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide