How can mac-address acl be used to allow specific user to logging to router or switch ?

wfqk · ‎05-23-2015

Hi mac-address acl can be used to allow specific user' PC to log on to router or switch.If in router or switch, there are several interface and svi, we need to attach the mac-address acl to each of interface and svi, so the process is complicated.

My question is if we can attach mac-address acl to control-plane. This way it would be simple for configuration and management, do you agree ? Thank you.

Reza Sharifi · ‎05-23-2015

Hi,

If you are trying to restrict access to a router or switch, you can simply create an access list and apply it to vty lines. This way no matter how many SVIs or physical interfaces you have only the IPs that you have specified in the access list can access the device via telnet or SSH. No need to worry about mac address filtering.

HTH

wfqk · ‎05-23-2015

Thank you so much for your reply. You are right if we attach acl to vty. But I would like to allow some specific PC to access all routers and switches no matter where he try to log on to these devices. So, it looks like that we still need mac-address acl. right ? Can we attach mac-address acl to vty ? I just tried it. It looks like that it could not work. Please see it below:

R2(config-line)#access-class 700 in
% Invalid access list name.
R2(config-line)#

rakeshvelagala · ‎05-23-2015

Hi,

You happen to have any AAA server like ACS? You can do that by grouping the devices and allowing only these groups to different users.

Frankly, I am not sure how feasible mac address solution will be.

Thanks