Need to block hacker by MAC on 2600, but have a big problem

[GeneralDzur]

We have someone who is being unruly on the network, and I have to block his traffic by MAC heading to the internet. The only problem is, it looks like the router only supports ONE access-list for each interface, and using a MAC access-list would force me to stop using our primary ACL. Is there any way to run a MAC ACL *and* an IP ACL on the same interface?

- stephan

 

[leedsit]

Cannot you keep your outgoing ACL going to the internet on ( i presume ) your serial interface but create an Inbound ACL on the Ethernet interface????

LEEroy
MCNE6,CCNA2,CWNA, Project+

 

[GeneralDzur]

Yes, but I can't figure out how to apply the access-list. Here's what I get when I try to apply a MAC access-list:

(config-if)#ip access-group ?
<1-199> IP access list (standard or extended)
<1300-2699> IP expanded access list (standard or extended)
WORD Access-list name


There's no option to apply a MAC ACL (700 range). How do I apply it?

- stephan

 

[leedsit]

you trying to apply this to the Serial or Ethernet interface?

LEEroy
MCNE6,CCNA2,CWNA, Project+

 

[GeneralDzur]

Yes, I am. It doesn't show a MAC-related option.

Trying to apply to either Ethernet or Fast Ethernet interface (there is no serial)

- stephan

 

[ADB100]

I have seen this done before using bridging and a BVI interface and applying a bridge filter (ACL) to the Ethernet interface:

bridge 1 protocol ieee
bridge 1 route ip
!
interface ethernet0
bridge-group 1
bridge-group 1 input-address-list 700
!
interface BVI 1
ip address 10.1.1.254 255.255.255.0
!
access-list 700 deny 000c.f100.ac01
access-list 700 permit 0000.0000.0000 ffff.ffff.ffff
!



This is a solution to your problem but there is nothing stopping this 'hacker' changing his MAC address. You could modify the ACL to contain a list of specific MAC addresses - i.e. removing the permit any statement and having just a list of 'allowed' MAC addresses.

It all seems a bit of a bodge to me though \

Andy