Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

router acl on mac address

3 views
Skip to first unread message

tg

unread,
Oct 9, 2008, 5:59:07 PM10/9/08
to
Cisco router 2651XM with wic-adsl card (Dialer0)
IOS = c2600-adventerprisek9-mz.124-2.T.bin

I'm given to understand it is possible to filter traffic based on mac
address. I've been trawling google but I can't find the syntax I'm
looking for. At the moment all my router traffic on port 25 is
unfiltered.
My router socket f0/1 ip is set at 192.168.1.100 and the router is
currently configured to forward all port 25 (smtp) traffic through f0/1
to my computer set at 192.168.1.101 thus:
ip nat inside source static tcp 192.168.1.101 25 interface Dialer0 25
(pretty straightforward)
and the firewall is set to allow smtp traffic through with:
access-list 105 permit tcp any any eq smtp
But I'd like to filter the port 25 (smtp) traffic by permitting only mac
addresses I specify. All other traffic is to be unaffected. The mac
address permission is to only apply to port 25 (smtp) traffic.
is this possible? any cli examples satisfying the above would be
appreciated.

Doug McIntyre

unread,
Oct 9, 2008, 7:08:36 PM10/9/08
to
"tg" <t...@nospamevereverever.net> writes:
>Cisco router 2651XM with wic-adsl card (Dialer0)
>IOS = c2600-adventerprisek9-mz.124-2.T.bin

>I'm given to understand it is possible to filter traffic based on mac
>address. I've been trawling google but I can't find the syntax I'm
>looking for. At the moment all my router traffic on port 25 is

>unfiltered....


Its only possible to filter based on MAC address for a bridge setup.

General routing does not allow you to filter based on MAC address.


Peter

unread,
Oct 9, 2008, 9:47:29 PM10/9/08
to
Greetings,

> I'm given to understand it is possible to filter traffic based on mac
> address. I've been trawling google but I can't find the syntax I'm
> looking for.

There are at least 2 things you need to consider -

As a MAC is a Layer 2 component -
1. MAC ACL's are written in the 7xx (IE Layer 2) series numbering
format (IE 701, 702, etc).
2. A router interface normally operates at Layer 3 (IE as a Routed
interface). You need to operate the interface in Layer 2 mode, and
one way to do that is to BRIDGE it to something else. However this can
bite you as Bridging can impact on performance. You can ensure maximum
throughput but linking the Bridge to a BVI to provide a routed
interface and therefore maximising the Bridge performance.

Cheers................pk.

--
Peter from Auckland.

tg

unread,
Oct 10, 2008, 1:49:10 PM10/10/08
to

"Peter" <SOM...@orcon.net.nz> wrote in message
news:yJnTTlXSNco4-pn2-mMbb6SJhdo7d@otis...
> Greetings,
<snip>

>. You need to operate the interface in Layer 2 mode, and
> one way to do that is to BRIDGE it to something else. However this can
> bite you as Bridging can impact on performance. You can ensure maximum
> throughput but linking the Bridge to a BVI to provide a routed
> interface and therefore maximising the Bridge performance.

so when you say bridge do you mean I have to connect my router to
another hardware device?


Doug McIntyre

unread,
Oct 10, 2008, 2:46:05 PM10/10/08
to
"tg" <t...@nospamevereverever.net> writes:

Bridging turns off any smarts in your router, it will just pass
traffic in and push traffic right back out. Its most likely not what
you are looking to do.

In general, MAC filtering isn't that useful, what are you trying to
acomplish anyway?

tg

unread,
Oct 11, 2008, 7:13:45 PM10/11/08
to

"Doug McIntyre" <mer...@geeks.org> wrote in message
news:48efa2ed$0$60064$8046...@newsreader.iphouse.net...

> "tg" <t...@nospamevereverever.net> writes:
>
> In general, MAC filtering isn't that useful, what are you trying to
> acomplish anyway?

trying to exercise some control over what machines (out there on the
internet) can have access to my mail server on port 25. Filtering based
on ip address is unworkable as people's ip's change all the time. What
doesn't change is their mac address.
I am using multiple barriers against spammers at application level but
if there's anything my router can do to assist in this I want to exploit
that. Someone on the cisco forum told me I could implement mac address
filtering but they didn't elaborate on exactly how it's done.


Doug McIntyre

unread,
Oct 11, 2008, 11:47:06 PM10/11/08
to


You won't ever see anybody else's MAC address, thats the reason its
not useful. You'll only see your own MAC address, your LAN machines, and
nothing else (assuming your nexthop out is a WAN hop).

Even in a pure LAN environment (ie. a colo data center), you'd only
see the next hop device MAC address and your own.

MAC addresses stay local only to your LAN, by the time the IP packets
get to you, they'll only have your gateway router in them.


0 new messages