cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Announcement“Cisco Design Thinking Workshop”. Cisco Small Business is excited to invite its Silicon Valley customers to an exclusive interactive one-day session between customers and product Managers.  If you are interested in this exclusive workshop, please fill out the Registration Form. For more information, please check out our FAQ


Get the latest new and information the November issue of the Cisco Small Business Monthly Newsletter

623
Views
0
Helpful
3
Replies
Beginner

IP Address restrictions by MAC

I have some users in my network. I have a Dual WAN in my network with a Policy Based Routing. All this is working fine and I get routed to the correct WAN. My question is can the ISA restrict/not allow/block users which have not been registered in my Address Groups by MAC.

Currently I have a DHCP Pool which is routed to use WAN1. My laptop which is static and registered by MAC in Address Objects will use WAN2. The routings are working good. How can block unauthorized hitchikers from using the WAN2, e.g. taking my static IP. If I could remember the Cisco RV042 has this feature in the DHCP tab. To "Block IP Address with the wrong MAC Address" and "Block unregiestered MAC Adress"

DHCP pool: 192.168.100.1 - 192.168.100.200

As an extra, I have "Web URL Filtering" enabled. Is it also possible to create some exceptions for the Static IP Users.

Everyone's tags (3)
3 REPLIES 3
Contributor

IP Address restrictions by MAC

Dan,

There are a couple ways to approach this.  The simpliest way to deal with the DHCP/MAC issue is to create Address Objects in Address Management for each of the Static devices based on their MAC address instead of IP.  Then create an Address Group that contains all those MAC Address Objects.  Finally apply an Access Rule to the WAN2 interface to allow traffic destine to that MAC Address Group and deny all other.

The second way, taking into consideration your question on Web URL Filtering for those Static users.  Regarding the use of Web URL Filtering and Application Control, I would recommend reading these posts by myself and Ciscomax.

https://supportforums.cisco.com/message/3955016#3955016

https://supportforums.cisco.com/message/3956460#3956460

Short answer is that Web URL Filtering must be applied by Zone and only one policy can be applied to a Zone.  So you could create another Zone and VLAN, one for your DHCP users and one for your Static users.  Then apply you desired profiles to the respective Zone.  If you go this direction, you could also use the same method I outlined above to control WAN 2 access by MAC, but you could apply it to that new VLAN interface as the source instead of the WAN2 interface as the destination.

I hope this helps.  If you have additional questions, please don't hesitate to ask.

Shawn Eftink CCNA/CCDA Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.
Highlighted
Beginner

IP Address restrictions by MAC

By having two separate VLANs for this implementation, I need to also separate the physical port at the back of the box? I do not have the leisure of using another physical port. One port for ACCESS DEFAULT Vlan which is the DHCP pool, another port for ACCESS Static Vlan which is the Static pool. Did I understand it correctly?

As for the other instructions, I will try to implement them tomorrow.

Contributor

Re: IP Address restrictions by MAC

You don't have to bind a VLAN to an interface. You can bind multiple VLANs to a single interface, change the interface to a Trunk port and trunk the VLANs down to your switch or APs and the configure ports and SSIDs with the appropriate VLAN.

Sent from Cisco Technical Support iPhone App

Shawn Eftink CCNA/CCDA Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.