Showing results for 
Search instead for 
Did you mean: 

Welcome to the Cisco Small Business Community

Have a question? Click on a topic board below to get started in the community.


IP Address restrictions by MAC

I have some users in my network. I have a Dual WAN in my network with a Policy Based Routing. All this is working fine and I get routed to the correct WAN. My question is can the ISA restrict/not allow/block users which have not been registered in my Address Groups by MAC.

Currently I have a DHCP Pool which is routed to use WAN1. My laptop which is static and registered by MAC in Address Objects will use WAN2. The routings are working good. How can block unauthorized hitchikers from using the WAN2, e.g. taking my static IP. If I could remember the Cisco RV042 has this feature in the DHCP tab. To "Block IP Address with the wrong MAC Address" and "Block unregiestered MAC Adress"

DHCP pool: -

As an extra, I have "Web URL Filtering" enabled. Is it also possible to create some exceptions for the Static IP Users.



There are a couple ways to approach this.  The simpliest way to deal with the DHCP/MAC issue is to create Address Objects in Address Management for each of the Static devices based on their MAC address instead of IP.  Then create an Address Group that contains all those MAC Address Objects.  Finally apply an Access Rule to the WAN2 interface to allow traffic destine to that MAC Address Group and deny all other.

The second way, taking into consideration your question on Web URL Filtering for those Static users.  Regarding the use of Web URL Filtering and Application Control, I would recommend reading these posts by myself and Ciscomax.

Short answer is that Web URL Filtering must be applied by Zone and only one policy can be applied to a Zone.  So you could create another Zone and VLAN, one for your DHCP users and one for your Static users.  Then apply you desired profiles to the respective Zone.  If you go this direction, you could also use the same method I outlined above to control WAN 2 access by MAC, but you could apply it to that new VLAN interface as the source instead of the WAN2 interface as the destination.

I hope this helps.  If you have additional questions, please don't hesitate to ask.

Shawn Eftink CCNA/CCDA Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.

By having two separate VLANs for this implementation, I need to also separate the physical port at the back of the box? I do not have the leisure of using another physical port. One port for ACCESS DEFAULT Vlan which is the DHCP pool, another port for ACCESS Static Vlan which is the Static pool. Did I understand it correctly?

As for the other instructions, I will try to implement them tomorrow.

You don't have to bind a VLAN to an interface. You can bind multiple VLANs to a single interface, change the interface to a Trunk port and trunk the VLANs down to your switch or APs and the configure ports and SSIDs with the appropriate VLAN.

Sent from Cisco Technical Support iPhone App

Shawn Eftink CCNA/CCDA Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.