Announcement

Collapse
No announcement yet.

Applying mac filtering on cisco catalyst 3750

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Applying mac filtering on cisco catalyst 3750

    I have 3 VLANAS 10,20, 30 . VLAN 10 and 20 are required to access internet while VLAN 30 is not supposed to access internet. VLAN 10 and 20 are accessed both on LAN and on WLAN . I want a tech to guide me on how to do the configs for these senario. In the mac filter should the switch and accesspoint mac address also be include/

  • #2
    Accessing the internet has nothing to do with MAC addresses. To block/filter users vs the internet, you'd use routing rules and access control lists (ACLs) on your network kit. Each VLAN is normally equated with a specific subnet. Allow Vlans 10 & 20 to get to the internet through your router, block Vlan30 from doing so. Your use of MAC addresses can identify which clients access which Vlan because of port-security or MAC filtering (in the case of the WLAN), but MAC addresses can't be used as the basis for allwoing or denying internet access. Those 2 areas are in different layers of the OSI model.
    *RicklesP*
    MSCA (2003/XP), Security+, CCNA

    ** Remember: credit where credit is due, and reputation points as appropriate **

    Comment


    • #3
      HERE IS THE SAMPLE CONFIG I WANT TO ARCHIEVE.

      IN MY OWN SENARIO I WANT VLAN 10, 20 NOT TO ACCESS INTERNET BUT ONLY ALLOW VLAN 30. PLEASE HELP ME TO MODIY THE CONFIG THAT I CAN USE

      mac access-list extended ARP_Packet permit host 0000.861f.3745 host 0006.5bd8.8c2f 0x806 0x0

      !--- This blocks communication between hosts with this MAC. !

      mac access-list extended ARP_ONE_OUI permit 0000.8600.0000 0000.00ff.ffff any 0x806 0x0

      !--- This blocks any ARP packet that originates from this vendor OUI.

      ! mac access-list extended ARP_TWO_OUI permit 0000.8600.0000 0000.00ff.ffff any 0x806 0x0 permit 0006.5b00.0000 0000.00ff.ffff any 0x806 0x0

      !--- This blocks any ARP packet that originates from these two vendor OUIs.

      ! vlan access-map block_arp 10
      action drop match mac address ARP_Packet
      vlan access-map block_arp 20
      action forward vlan access-map block_one_oui 10
      action drop
      match mac address ARP_ONE_OUI
      vlan access-map block_one_oui 20
      action forward vlan access-map block_two_oui 10
      action drop match mac address ARP_TWO_OUI vlan access-map block_two_oui 20 action forward ! vlan filter block_two_oui vlan-list 2
      Last edited by hardsoft; 22nd December 2016, 11:20.

      Comment


      • #4
        Your stated solution requirement is a direct opposite to what you declared in your original post as to which vlans you want to allow access to the web. But that doesn't affect the fact that you can't do what you want to do, the way you want to do it.

        Internet-access blocking/allowing does not work with MAC addresses, it works with IP addresses. Those represent different layers of the OSI model: IP addresses work at Layer 3 (network layer: routing between subnets or address spaces), while MAC addresses work only at Layer 2 (data link layer: how hosts talk to each other).

        When one device wants to send a packet of info to another device, the MAC address is used only when they're in the same address space. That's Layer 2. If an address space boundary must be crossed (destination is on a different network), that's when you use Layer 3--ip addresses.

        Your config rules will allow/block access for devices with MAC addresses from sending/receiving packets inside a VLAN at all. That's not the same thing as saying block or allow internet access.
        *RicklesP*
        MSCA (2003/XP), Security+, CCNA

        ** Remember: credit where credit is due, and reputation points as appropriate **

        Comment


        • #5
          This is the exact idea i want to implement. I want to make sure that that the switch level only pc whose mac are in a particular vlan can forward packet and the rest to be droped. i want you to see the config above can help me archieve this

          Comment


          • #6
            please send me your email contact to [email protected]

            Comment


            • #7
              It would probably be much simpler to use facilities in your DHCP scopes to assign addresses based on MAC addresses, and then apply ACLs to the VLANs to allow or block traffic as you wish. Along this line, you should have a look at this MS link i found thru Google: 'https://technet.microsoft.com/en-us/library/ff521761.aspx', and then this one about dhcp option classes: 'https://technet.microsoft.com/en-us/library/cc958901.aspx'. When you say you want to block clients access to a vlan based on MACs, you'll also be blocking their ability to get an address on your system because they won't be able to contact a dchp or dns server. Is that really what you to do? Do the clients have the authority to set their own VLAN access, or do you control that? I'd prefer at this point to see a network diagram of your system, with address spaces shown, to better understand what you're trying to do. Is there one available?
              *RicklesP*
              MSCA (2003/XP), Security+, CCNA

              ** Remember: credit where credit is due, and reputation points as appropriate **

              Comment


              • #8
                I dont have any network diagram for now but let me attempt to explain my network. My internet connection from my ISP is to terminate on E/0 of my ASA firewall and my ASA has two LAN Connection E/01 for LAN with only internet access on its own vlan and has dhcp enable all Wireless Access point are on this network.. E/02 connect to LAN for only DATA and no internet .access is allowed.

                the ASA is connected to a layer 3 switch cisco catalyst 3750 which connects to different cisco switches on my LAN. The challenge is that I want to list all allowed mac to the internet vlan through ARP filter so that only authorized mac can be authenticated on the Wireless Access points and also access the LAN on the internet VLAN. The SSID password is usually comprimized by users and this is what we want to restrict

                Comment


                • #9
                  So your ASA is your DHCP server, at least for the vlan with the wifi devices. And you have a 3750 switch which connects to other switches. But your description of the 2 internal interfaces on the ASA don't identify how the 3 vlan interfaces (10, 20 & 30) are routed, and you haven't described how the ASA connects to the only switch you've described, the 3750.

                  Re-reading all your comments, you've got 3 VLANs defined: 10, 20, 30. Depending on which comment we read from, you either want I'net access for 10, 20 (with data access not specified), and local data access only for 30; or you want data only for 10, 20 and i'net only for 30. Forgive me if I'm a little confused. Your ASA has 2 interfaces which connect in some way to a layer 3 switch, but we're not clear on whether your inter-vlan routing is done in the switch or in the ASA. Your examples given on 22 Dec look like valid statements, esp. since they appear to be copied from a Cisco.com document at: http://www.cisco.com/c/en/us/support...block-arp.html. So those examples give you what you need to get started, assuming you already know every MAC address from every device you wish to control access for. If you don't already know the MAC addresses, how many client devices are you talking about?
                  *RicklesP*
                  MSCA (2003/XP), Security+, CCNA

                  ** Remember: credit where credit is due, and reputation points as appropriate **

                  Comment


                  • #10
                    I want Vlan 10 and 20 access LAN Data only and Vlan 30 to forward to the internet. I have already collected all Mac address of all the devices in my network about 250 devices. The ASA is my DHCP Server but this i can always transfer the role to the 3750 switch and Intervlan routing will be done at the 3750 switch.

                    Comment


                    • #11
                      The VACLs you're trying to use will have to be done where the VLANs inter-route, so as long as the ASA can handle those commands, you can leave the routing there if it's there already. But you're still not answering the question about the 2 internal interfaces of the ASA and the physical link(s) between the ASA and the 3750 switch. As for the MAC statements example you posted from Cisco a few ago and your original questions about MACs from the ASA and switches themselves, I'd say probably not, UNLESS those are the MACs associated with the interfaces that those devices use to talk to one another. If I knew more about how your devices were physically connected (the drawing I've asked for previously), that could be answered.

                      If you're unsure about how the MAC statements are given from the Cisco example, you have to know how the MAC is built, and how ACLs work in general.
                      *-A MAC is built of 2 sections totalling 6 bytes, the vendor ID (1st 3 bytes) and the unique device ID (2nd 3 bytes). So for a MAC format of 0000.0000.0000, read it as 'vvvv.vvvv.vvdd.dddd.dddd' where 'v' equals Vendor and 'd' equals Device. For example: a MAC of 0A19.7452.FDA9 means a vendor of 0A19.74 and device of 52.FDA9.
                      *-An ACL or VACL identifies items by address and mask. For IP info in a standard ACL, it's 'aaa.aaa.aaa.aaa mmm.mmm.mmm.mmm'; for a MAC in a VACL it's 'aaaa.aaaa.aaaa mmmm.mmmm.mmmm'.
                      *-The Cisco examples which don't use the keyword 'host' are showing you ranges of devices as MAC addresses (vendor only) and a mask which translates to 'any devices with the same vendor code.' So their example of 0000.8600.0000 0000.00ff.ffff means 'any device with a vendor code of 0000.86x.xxxx, regardless of the rest of the string' (and that specific example means 16+ million devices).

                      Of your 250 devices, let's assume 110 of them all have the same vendor ID in their MAC, call it 0A19.74xx.xxxx. If you sort your listing by the MAC address, you'll see what I mean. To put those MACs into a single VACL statement, theyll' be written as '..permit 0A19.7400.0000 0000.00ff.ffff,,,' and the 'action' statements would apply to all 110 devices in that list. However, if even 1 single device in that list is not supposed to get the same action, then you'd have to break up the list and identify that single item with it's own 'host' statement. And then you'd have to become familiar with how the 'mask' part is built, which can be confusing on top of all the other info above.

                      If I were you, I'd leave the VACL idea alone unless you have a Cisco-certified person available every single time a new device is to be added to your network. Because your VACLs will have to be re-written to allow for the new vendor ID, unless you're extremely lucky. I think it'd be simpler (long-term) to set up an IP reservation for each device on your network, on the VLAN you want them to use. As long as your DHCP scope only contains addresses with reservations, there will never be free addresses available. If a particular device is allowed to access either vlan, reserve them an address on each VLAN. With no free addresses, no one will be able to access either VLAN unless you know about it, because they can't get in until you get their MAC address to set up the reservation, and extend the scope. Since your ASA is your DHCP server, this shouldn't be difficult. It will be tedious to set up to begin with, but once done, it should be bulletproof.
                      *RicklesP*
                      MSCA (2003/XP), Security+, CCNA

                      ** Remember: credit where credit is due, and reputation points as appropriate **

                      Comment


                      • #12
                        Thank you for the detail information and support. I have gone through all the materials you have put forward. I have now created the vlans on the layer 3 switch ( 3750) and put pc that requires internet access in a separate vlan and forward the traffic to the ASA, now pc that does not need internet access are not forwarded. The ASA has the following interface E0/0 that is conntected to the ISP, E0/1 Connected to the LAN SWTICH for vlan that need internet access, E0/2 connected to the LAN switch for (vlans that do not require internet access). so the link from the ASA to the layer 3 switch is configured as a routed port and sub-interface created for the different vlan network.

                        Great work I appreciate all the support

                        Comment


                        • #13
                          From your description I think you're saying you have something working how you want it, so good for you. Glad to be of help.
                          *RicklesP*
                          MSCA (2003/XP), Security+, CCNA

                          ** Remember: credit where credit is due, and reputation points as appropriate **

                          Comment

                          Working...
                          X