Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1101
Views
6
Helpful
10
Replies

Restricting devices able to be connected to 800 series router's switch

darren.g
Level 5
Level 5

‎01-31-2013 04:54 PM - edited ‎03-07-2019 11:26 AM

Folks.

I have a Cisco 887M router which I wish to restrict the devices allowed to be connected/allocated an IP address to two, and *only* two.

I can't, for the life of me, find out how to allow these two devices to connect to ANY port - I can configure a MAC restriction on a single port, but I don't know how to make it so that I can allow JUST these two devices to connect to any port in the 4 port switch/VLAN (VLAN 1 is used because the mongrel who set this up was lazy). I know the MAC addresses I want to allow

Anyone got any pointers on how I can do this? I *can* restrict any given port to the two MAC addresses - but if I try to add the MAC addresses to another port, they get removed from the initial one. I need to be able to have them connect to ANY port and work, but allow NOTHING else to work.

For those wondering, this is to counter a user who is utilising company resources for purposes not approved - and costing us quite a bit of money in the process.

Thanks

Labels:
0 Helpful
10 Replies 10

acampbell
VIP Alumni
VIP Alumni

‎01-31-2013 05:58 PM

Darren,

Ithink this link will help you

http://www.cisco.com/en/US/docs/routers/access/800/860-880-890/software/configuration/guide/vlanconf.html#wp1055744

Regards,
Alex.
Please rate useful posts.

Regards, Alex. Please rate useful posts.
0 Helpful

darren.g
Level 5
Level 5
In response to acampbell

‎01-31-2013 07:53 PM

Alex.

Already found that one, and I've gone through it half a dozen times.

I can set the ports to "dynamic" mode, assign a maximum number of allowed MAC addresses to 2, and (apparently) set the allowed MAC addresses - but when I check the config, I can't see if this definition of allowed MAC addresses is saved.

From the config, I get the following

mac-address-table secure maximum 2 FastEthernet0

mac-address-table secure maximum 2 FastEthernet1

mac-address-table secure maximum 2 FastEthernet2

mac-address-table secure maximum 2 FastEthernet3

Which is what I'd expect - but even though I entered the command in the format

mac-address-table dynamic xxxx.xxxx.xxxx fe 0 vlan 1

mac-address-table dynamic xxxx.xxxx.xxxx fe 1 vlan 1

mac-address-table dynamic xxxx.xxxx.xxxx fe 2 vlan 1

mac-address-table dynamic xxxx.xxxx.xxxx fe 3 vlan 1

I can't find anywhere in the config where this appears to be set or saved.

Is this normal? I can't afford to actually lock this guy out of his *legitimate* machines. Or does this only show up when the machines are connected/powered on (he turns them off when he's not officially "working" to avoid being monitored, so I can't see them in the mac table at the moment).

Thanks.

0 Helpful

cadet alain
VIP Alumni
VIP Alumni
In response to darren.g

‎02-01-2013 03:03 AM

Hi,

so you know the MAC addresses you want to block or the ones you want to permit ?

you could simply do a MQC policy applied to vlan 1 that is dropping packets with forbidden MAC source address.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
0 Helpful

darren.g
Level 5
Level 5
In response to cadet alain

‎02-03-2013 12:29 PM

Alain.

I know the ones I want to permit - I want to drop everything *except* the two permitted devices.

I don't even want non-approved devices to be allocated an IP address from the DHCP pool (on the router). Just a big, fat "No, you aren't going to work" when an unapproved device is connected.

Cheers

0 Helpful

Henrik Grankvist
Level 4
Level 4

‎02-03-2013 01:00 PM

Hi

Would a VACL work?

You can use a MAC-ACL and match those MAC-addresses you want to permit and then block the rest.

It would look something like this:

mac access-list extended HOSTS-MAC-ADDRESSES

permit host HHHH:HHHH:HHHH any

vlan access-map RESTRICT-HOSTS

match mac address HOSTS-MAC-ADDRESSES

action forward

vlan filter RESTRICT-HOSTS vlan-list 1

darren.g
Level 5
Level 5
In response to Henrik Grankvist

‎02-03-2013 08:10 PM

Thanks for the suggestion

The command "mac access-list" doesn't appear to be an option on this device. otherwise, I think it'd work quite nicely.

Cheers.

0 Helpful

Henrik Grankvist
Level 4
Level 4
In response to darren.g

‎02-04-2013 05:04 AM

Ok, but what about using the numbered MAC-ACL then?

Like this:

access-list 700 permit

darren.g
Level 5
Level 5
In response to Henrik Grankvist

‎02-07-2013 04:02 PM

Yeah, I can create the list, but I can't apply it to either the VLAN interface or the individual fast ethernet interfaces.

Thanks for the suggestion, though

0 Helpful

darren.g
Level 5
Level 5

‎02-07-2013 04:05 PM

So I gave up and logged this with the TAC.

Apparently, this is an unsupported condition on the 800 series router, and can't be done.

The best I can do is to exempt every IP address in the local DHCP schemea and assign an address manually to the allowed MAC addresses.

Which won't help me if the guy is smart enough to assign himself an IP address on unapproved devices, but it's all I can do.

Thanks for everyone who had input.

0 Helpful

cadet alain
VIP Alumni
VIP Alumni
In response to darren.g

‎02-08-2013 01:01 AM

Hi,

preventing users from assigning a static IP can be done with a local or AD GPO for windows.

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card