Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
628
Views
10
Helpful
7
Replies

Limit access by HW address

Go to solution
Adrian Ardelean
Level 1
Level 1

‎09-16-2012 10:18 PM - edited ‎03-07-2019 08:54 AM

Hi,

I have a 2921, and I have 4 network segments.

In segment 172.16.0.0./27 I wand to "pair" somehow connections. I mean IP 172.16.0.x has to have MAC aaaa.bbbb.cccc and so on, and not accept connections otherwise.

How can I do that?

Thank you!

A.                

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Amjad Abdullah
VIP Alumni
VIP Alumni

‎09-16-2012 11:49 PM

I Agree with Paolo. static arp entries is the way.

But why you need this specific requirement? If you have a device with ip 172.16.0.2 for example, why you should bind it to some specific mac? it has only one mac address and that is not supposed to change, right? so why don't you just add MAC ACL if that is really needed?

Amjad

Rating useful replies is more useful than saying "Thank you"

Rating useful replies is more useful than saying "Thank you"

View solution in original post

0 Helpful

Go to solution
Ivan Shirshin
Cisco Employee
Cisco Employee
In response to Adrian Ardelean

‎09-17-2012 09:22 AM

Hi,

For MAC ACL, you the "mac access-group ... in" command:

http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_m1.html#wp1076835

Kind Regards,
Ivan Shirshin

**Please grade this post if you find it useful.

Kind Regards,
Ivan

View solution in original post

0 Helpful
7 Replies 7

Go to solution
paolo bevilacqua
Hall of Fame
Hall of Fame

‎09-16-2012 11:46 PM

You will need to setup static arp entries, and disable arp protocol..

That is so time consuming, and so un-managebale, that you should really find a better way to manager you network security rather than relying on IP and MAC.

Go to solution
Amjad Abdullah
VIP Alumni
VIP Alumni

‎09-16-2012 11:49 PM

I Agree with Paolo. static arp entries is the way.

But why you need this specific requirement? If you have a device with ip 172.16.0.2 for example, why you should bind it to some specific mac? it has only one mac address and that is not supposed to change, right? so why don't you just add MAC ACL if that is really needed?

Amjad

Rating useful replies is more useful than saying "Thank you"

Rating useful replies is more useful than saying "Thank you"
0 Helpful

Go to solution
Adrian Ardelean
Level 1
Level 1
In response to Amjad Abdullah

‎09-17-2012 12:08 AM

Sorry for being dumb, but how do i do MAC ACL?

Thanks!

0 Helpful

Go to solution
Ivan Shirshin
Cisco Employee
Cisco Employee
In response to Adrian Ardelean

‎09-17-2012 09:22 AM

Hi,

For MAC ACL, you the "mac access-group ... in" command:

http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_m1.html#wp1076835

Kind Regards,
Ivan Shirshin

**Please grade this post if you find it useful.

Kind Regards,
Ivan
0 Helpful

Go to solution
pille1234
Level 3
Level 3
In response to Amjad Abdullah

‎09-17-2012 12:09 PM 

Amjad Abdullah schrieb:
so why don't you just add MAC ACL if that is really needed?

Don't forget to mention that on most switches and newer IOS versions MAC ACLs don't work for IP packets. Thus they don't have any impact at best or block system relevant network protocoll traffic at worst.

0 Helpful

Go to solution
Amjad Abdullah
VIP Alumni
VIP Alumni
In response to pille1234

‎09-17-2012 10:38 PM 

pille1234 wrote:
Amjad Abdullah schrieb:
so why don't you just add MAC ACL if that is really needed?
Don't forget to mention that on most switches and newer IOS versions MAC ACLs don't work for IP packets. Thus they don't have any impact at best or block system relevant network protocoll traffic at worst.

oh, really? I did not know that!!

Rating useful replies is more useful than saying "Thank you"

Rating useful replies is more useful than saying "Thank you"
0 Helpful

Go to solution
Adrian Ardelean
Level 1
Level 1

‎09-18-2012 02:06 AM

Thank you!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card