Filter traffic by Mac address
Hello
Is it possible to configure the router cisco as switches C3800 or catalyst as C4500 or C2960 to filter traffic allowed only mac addresses? Or any other device you might suggest.
I just want to allow these devices which belongs to the domain, which means that if a user logs on to a computer or any other devices this concerns network that I have not authorized mac addresses, he will be denied access to the network. However, none of the eligible devices may be able to use any port of the switch, which means I want to associate a Mac address authorized to a physical port on the switch.
I hope someone could help me on this.
Thank you
Richard
Hi Richard,
on the 4500, you can do this by creating a mac access list:
and then use it in a map vlan:
I believe that you can not do the same thing on a 2960, but you may want to check (maybe ask or ">")
HTH
Herbert
Tags: Cisco Security
Similar Questions
-
How to filter the similar MAC addresses?
Hello
I'm trying to filter MAC addresses, but the MAC column shows empty.
Here's what I have so far:
Get-data center $DC | Get - Vm | Get-View |
Select @{N = "VM"; E={$_. Name}},
@{N = "#NIC"; E={($_. Config.Hardware.Device | where {$_.} MacAddress} | Measure - Object). County}},
@{N = "#MAC"; E = {[string]: join (",", ($_.))} Boulevard | %{$_. MacAddress})) | Where-Object {$_.} MacAddress as ""00:50: F3 * "}}},"
@{N = "IP addresses"; E = {[string]: join (")}
,',($_. Boulevard | %{$_. Ip_address}))}}
Thank you
Give it a try like this
Get-Datacenter $DC | Get-Vm | Get-View |Select @{N="VM";E={$_.Name}},@{N="#NIC";E={($_.Config.Hardware.Device | where {$_ -is [VMware.Vim.VirtualEthernetCard]} | Measure-Object).Count}},@{N="#MAC";E={[string]::Join(',',($_.Guest.Net | where {$_.MacAddress -like "00:50:F3*"} | %{$_.MacAddress}))}},@{N="IP addresses";E={[string]::Join(',',($_.Guest.Net | %{$_.IpAddress}))}} -
In the NAC MAC address filter list
How are Faisal Hi, you? I have a question about this list of filters in the unit of the NAC. I want to do those recognized unit of the NAC mac addresses are to be get the network. However if a workstation's mac address is not in the filter list, would it not able to do the network. Is that the NAC has the ability to do? Please let me know. Thank you.
Richard
I'm not Faisal, but...
You want to make additional (such as LDAP or such) or any authentication simply based on the MAC address? If you want to only via the MAC, you can add them to the list of filters and then either set to 'allow' to allow all traffic, 'role' to put them in a specific role, or "check" to apply the evaluation of posture and then put them in the role. If no other server authentication is configured, users who were not in the list of filters would not be able to authenticate, and they would be stuck in the authenticated VLAN.
Thank you
Lauren
-
IPad wi - fi MAC address not "MAC address" according to the Linksys router
WRT55AG 2.0:
Failed to save the MAC address of my new iPad wi - fi MAC filtering table. Upgrade to the latest firmware, but still does not work. When I try to record, I get a pop-up that says: "not a MAC Address.
If I disable the MAC filtering, the iPad can be accessed via the router and the router shows the good MAC iPad in the customer table wireless, but I much perfer to have enabled MAC filtering.
1. the MAC address filter is not a problem. It's a joke. As I have said before: the MAC addresses are always transferred not encrypted. If someone tries to penetrate your WPA2 protected wireless network, it is necessary to capture a lot of wireless traffic to crack the password. By the time it is cracked (who is supposed to be very difficult and time consuming if the password is good) the hacker knows all the MAC addresses that are accepted for your wireless network.
2 No. more isn't always better. Are three locks on your door better than two? Ten are better than two? Why have you not 10 locks on your door? The longer the better? It's more, but the impact on you is much more important than the impact on an attacker. WPA2 with a strong password is like putting a stone wall think 100feet for protection. It is very high and very difficult to 'jump '. Filtering of MAC addresses is like putting another small 5 inch thin barrier in front of the wall. The longer the better? Anyone that can fly over the wall will easily get over the fence. The greatest effect of the fence, it's that you will sometimes fall on it because you have forgotten. Compared to WPA2 security with a password strong MAC filter is simply not useful.
3. the same for the SSID broadcast. Leave it active. The SSID is always transferred unencrypted over the affair with the access point. Any malicious person can easily find your SSID. In addition, it is easy to force a device associated to re-associate. With the right software, it takes a few seconds to learn the SSID. And even with SSID broadcast disabled, him access point always sends a signal of ELT. This means that the existence of your access point is immediately visible. Just the SSID is not transmitted with the tag.
4. the disabled SSID broadcast technically breaks the wireless standard. Problems with wireless clients are common.
5. the hidden SSID will be also the batteries in your wireless devices: wireless device always must actively try to connect from the hidden SSID. There is no other way to find out whether there is in the range. If you have ten networks hidden in the list of your wireless device wireless networks will try these ten networks frequently to see if one of these is in the range. In other words, it will try to connect to the hidden SSID and see if anything responds. If you do not connect to any hidden SSID (i.e. all the wireless networks in your list are broadcast) then it is very easy to find out whether a network is within reach: the device has to do is passively listen to the signals from the tags. There is no need to send anything until a known SSID is within reach. Then only the wireless device will try to associate with the SSID.
So: don't hide your own SSID. And stay away from the other SSID hidden. Do not associate those or don't forget to remove from the list of preferred networks prior to departure. This will allow you to save a lot of battery power...
To summarize: your neighbor who doesn't know computers would have a problem with broadcast SSID disabled or filtering of MAC addresses. But your neighbour do not know how to use a software to crack a wireless anyway. Anyone who is sophisticated enough to try a good attack on a protected network WPA2 will have no problem with the SSID broadcast or filtering of MAC addresses.
And if it is an automated attack the SSID and MAC address is detected automatically. The broadcast SSID and MAC address filters are issues for you. They are not problems for any aggressor.
-
BEFSR81 v3 MAC address filtering
I have a simple network configuration with wired computers connected to the router and the router connected to the modem.
My goal is to associate the IPs assigned to MACs. So if I have 4 (A, B, C, D) computers connected to the router, it assigned a specific IP address. If someone disconnected a computer to replace it with their own, the router would recognize the MAC change and could not allow the connection.
I know that the router can filter certain IP or Mac addresses from the internet, but some evil doer who simply unplug the computer to plug its own would still have access to the local network. That and I have no way of knowing what would MAC the author.
So far, I have configured my computer to request a static IP (192.168.1.2-5) and the DHCP Server give the rest (6 to 254). Then the IP filter is on the DHCP range to block those from the internet.
But as I said, I need these completely blocked IPs. Also. If a user connects to a computer windows laptop and guess the static IP address, then the router fortunately would give him access to everything...
Sorry, I know it's confusing. Bottom line is I have to let only specific Mac to connect to the network. Or SOME form of protection for the cable networks... Super sticky ethernet cables is not an option, although it would solve the problem.
nicfortin1342 wrote:
My goal is to associate the IPs assigned to MACs. So if I have 4 (A, B, C, D) computers connected to the router, it assigned a specific IP address. If someone disconnected a computer to replace it with their own, the router would recognize the MAC change and could not allow the connection.
Cannot do this with the BEFSR81 and it is not a matter of how it is recent - the firmware just does not support, does support an address IP or MAC, some of them not allowing not blocking. I think that it has been designed as a primitive, rather than a security measure parental control.
With DHCP servers better (like those of most of the firewall) than the BEFSR81 has, you can configure DHCP to "static maps" so that the lease of the intellectual property will be distributed based on the MAC address, and which would you allow to adjust things until only the DHCP leases to some MAC addresses issue.
Despite this, MAC addresses can be manually changed and spoofed, such as IP addresses, so neither is really a good measure of security.
You have to ask in the BEFSR81 firewall features, which, instead, is simply a router.
In the grand scheme of things, because the MAC and IP addresses can be spoofed, if someone can get physical access to your network, you are pretty well watered unless the traffic is encrypted.
Russ
-
Satellite C850D-104 - change of MAC address
On the new laptop of C850D-104, I have a problem with the mac address.
Well well, in short: it changes.
My firewall filter (also) on the mac address so I need to add the mac address of the new machine.
Which seemed to work fine until I restarted the laptop warm. No possible connection.And looking on the firewall, I see indeed a different mac address attempts to connect.
To be sure, I restarted again, and yet once again, I get a new address (another).Restart IE cold. stop and restart seem to reset the address this is a first.
And after a warm reboot, the new address.Now bypass is simple, do a cold reboot, but it is still annoying.
On the internet I found some versions of back problems with the netword card driver, but my current license is some versions above that should have solved the problem.Any suggestions?
Hello.
I had the same problem in a C850-154 (with a Realtek wireless adapter) and the pilot was at the beginning of this year.
I have updated with the driver of the 14/09/12 (version 2.00.0020) and the problem was solved. -
This is my first post here. I just bought a new P1102w printer. I put it up to use USB. Now I want to use wireless, but I use a MAC filter through my router. I think I found the MAC address of the printer. He was under the hardware address and 12 characters. I entered in my router. Now how I swtch USB wireless? I tried to read the manual but couldn't find it. I did unplug the USB cable and press the wireless button, but nothing happened. I tried to print a page but nothing printed. Any help would be appreciated. Thank you
First of all, MAC filtering is not an effective security measure, and it makes your difficult to manage network. Read more about it here.
Start by unplugging the USB cable between the printer and the PC. If you use Windows: start > all programs > Hewlett-Packard > [your printer model] > add a device. When he asks, choose a network device and follow the instructions.
If this does not work, download the latest version of the software for your printer from the "Support & drivers" link at the top of this page.
-
I was wondering if someone took the time to look at the Mac address of WiFi. I use a MAC filter on my router here at home, so I was going to plug it in, but that there is no Mac address.
Mark is that done on purpose?
Thank you
Scott
Settings > about phone > status > address MAC WiFi
-
Turn off filtering by MAC address
Hi, I recently got WIFI for my house. I want to use wifi on my ipod touch but even when I add and connect to my network with the password. I can't use wifi and applications that require a connection. Most people say that I have to turn off my MAC address filter to make my ipod touch can access the internet. Thank you.
MAC address filtering is enabled or disabled in your wireless router. It is disabled by default and would be activated only if you have explicitly configured the router like this. See the user manual of your router for more information, or tell us the router brand and model number. Steve Winograd, Microsoft MVP (Windows desktop experience)
-
When I disabled it Clone MAC address I lost access to the internet.
Does anyone know why MAC address Clone is necessary and what it does?
Clone MAC address changes the MAC address of the router on the internet port.
You can use the function of the cloning MAC address to clone the MAC address of a computer if you used before your computer directly to the modem.
Some ISPS (especially cable ISPS) only the customers to have an active internet connection at any time. To do this, check the MAC address, that is, they remember the MAC address that accessible line via the modem and lock the connection to this MAC address.
If you test your internet connection directly with your PC first and then connect the router the router can not get an internet connection because the row is locked to the PC's MAC address. Now if clone you the address MAC from the PC on the router the router "pretended" to be PC and the ISP will accept traffic again.
Usually, simply reset or turn on the modem to reset the lock again. Sometimes, you have to turn off the modem for a couple of hours (for example, through the night) after a few hours of inactivity the ISP removes the lock again. Sometimes call the ISP to remove the lock, but it's not very often.
So basically, generally useless clone MAC address at all because you could accomplish the same thing by resetting the modem or it turned off for a few minutes. If you connect the router to the modem, ISP learns the MAC address of the router and it gets working internet connection. (Of course remember, that once a computer directly connected to the modem would not get active internet connection unless you change the MAC address of the computer to the MAC address of the router).
But the function is useful if you do not want to. You simply set the MAC address of the connected device before, and you get a working internet connection.
-
MAC address filtering problem with router DI-624 and printer HP D110
Just got the wireless D110 printer and cannot connect to the wireless router.
I have a D - Link DI - 624 Air Plus Xtreme G 2 .4GHz Wireless Router.
The error message I get from the printer, it's that "address filtering Mac can be activated on your wireless router. This can prevent your HP printer to connect to your network without wire during installation... etc. ".
The D-Link is configured with WPA - PSK security. If I disable all the security the wireless printer is able to connect. I can't connect the printer to the wireless router with WPA - PSK or WEP same active. There is no connection with the electrician the printer and the router.
I have connected the router Admin and have repeatedly confirmed that Mac filtering is turned off by going to Advanced Options > Filters > filters Mac > and choose disabled Mac filters. Where is this setting? Why is not able to connect printer?
In addition, I check the logs on the router and it shows "Wireless PC connected" and "Authentication successful" with a note that has the Mac address of the corresponding hardware address mac hardware of the printer on the wireless network Test report. It seems that the router is to let printing but the printer is not able to communicate for some reason any. It even shows under status > wireless printer is connected.
When I talked to HP, they said to contact the router company and they couldn't help. When I called D-Link, they said technical support is no longer available for the model. I am stuck, can anyone help?
Windows XP, tried the front of the printer and USB connection and using the software.
After a few hours on the phone with the D-Link and HP, the problem has been resolved.
Apparently, even if that Mac filtering is disabled (set to disabled MAC filters), the Mac address had to enter the router to enable all keeping off Mac filter setting. To me he appeared in the counter intuitive to enter the Mac address, while set to disabled the Mac filter so I wasn't that before picking up the phone with HP. Further on this point, the problem is not going away right after adding the mac address, but rather after the reboot of the router, such as the addition of mac address did not effect, without a reboot of the device.
HP has been much more useful than a D-Link on it, although it would be nice for HP to add to their instructions and Test report of wireless network to add the Mac address, just in case. I would have tried this step if it has stated that it is acceptable to add the mac address and keep the mac filters disabled.
-
Router seems several MAC addresses
My WRT54G MAC address of the router (as written on the label on the bottom) ends with F5. LELA shows the address MAC LAN like ending by F5. It shows the addrerss WAN MAC as ending in F6. My ISP used the F6 key to connect to their network. I have a wireless internet radio which can detect the router as ending with F7.
Why is this? How can I know who is the 'real' MAC address?
Each network on the router interface must have a unique MAC address... router has 3 logical network interfaces, you discovered... one is the WAN interface, which is also associated with the physical interface that connects to your ISP. Another is the LAN interface that is associated with the network which is jumpered to 4 LAN ports (which are interfaces on the switch that is built into the router), and the last of them is the wireless interface, which is connected to the adapter wireless physical built into the router. The router keeps track of where each device that is connected by using of these devices unique MAC addresses and sends traffic to the necessary interface based on his knowledge of the combinations of IP addresses and MAC addresses.
'Real' address of the router can be one of three, according to the network from which you look at the router. It seems, based on your post, that Linksys has taken the MAC address of the LAN interface of the document as the 'router MAC address '. All three are 'real '... MAC addresses
-
802. 1 x per MAC address with power connect 2848
Hello!
I use 'Authentication Port' on my PowerConnect 2848 switch, the RADIUS server is Windows Server 2008 R2.
Workstations authenticated correctly and everything works well.
For my devices VoIP which does not support the RADIUS, I would add the MAC filtering.
Under Authentication Port-> Port of choose-> Authentication Type, there are 3 options, "802. 1 x only', 'MAC Only' and ' 802.1 x & MAC»
1. What is the difference between MAC only and MAC & 802. 1 x?
2. as far as I know, when you use the MAC option in 802. 1 x switch RADIUS one server sending requires authentication with the MAC address in the user name and generate a password in order to create user names on the RADIUS server with this information and filter like this just addresses MAC I agree.
The question is, what is the password to the 2848 sent to the RADIUS server in this situation, use a password that is preconfigured for all authentications of MAC? or it uses the MAC address as password in addition to the user name field?
And additional information on what I'm trying to accomplish would be great,
Thank you very much!
From my understanding when it is set to 802.1 x & Mac port must first check the device to be compliant, 802. 1 x if it is not then it will try to authenticate using the MAC of a device as the user name and the password. If the MAC address has been placed in the RADIUS database, then it will be able to authenticate.
-
Find the offending MAC address to bpduguard
I have a Cisco WS-C6509-E with IOS, connected to a hypervisor with several virtual machines on it.
The port on the 6500 that connects to the hypervisor is a trunk port and allowed to bpduguard.
One of the virtual machines is originally the port pass to err - disable State by sending BPDUS. I'm trying to figure out which, the Cisco itself. Specifically, I'm trying to find the MAC address of the virtual machines.
Is this possible? I watched with full spanning tree debugging on debugging, but all I get is that the port will in err - disable. He's going to tell me what is the address MAC offending (or anything on the BPDUS).
Short of stripping the VLAN on the trunk, until I have the network guilty (which won't actually give me guilty unit but rather, only sound VLAN), I don't know if there is a direct command or debug to give me this information directly. Can anyone help?
Hello
Try extending over the port and capture some of the traffic.
Thank you
John
-
Hi all
simple question...
You may know if it is a bug of mac address learning with version 1.4.1?
I have go a blade with a mix of palo and other cards, some vnic are pinned to link rising with trunk allowed vlan 501 on both sides. On the blades of the UCS, i've got ESX and ESXi. Service console is labelled VLAN 501 (depending on the configuration of the trunk switch UCS and uplink). Some blade had obtained these interface pinned on the UCS6100 A and another on B (with failover). The fact is that if I ping from outside UCS UCS (ESX) inside no learning of mac is performed on all infrastructure.
I don't know problem is the UCS because if I erase the mac table UCS, nothing works... and all the works if I start doing a ping of the UCS. I also tried to put the switch uplink static mac (ESX service console) but was not helpful.
I hope this isn't a 1.4.1 bug...
TNX and tnx for help
Dan
Y at - it you using uplink groups pine or have a network of layer 2 disjoint by chance?
Questions like these are ususally PIN-related groups / Disjoint L2 using the wrong link DR port for traffic entering. When the traffic is generated from within the outgoing UCS, the MAC table is updated on the upstream switch which allows traffic to flow, until he gets older.
If one of them is the case I suggest take you a look at the videos of Brad name video #6:
http://bradhedlund.com/2010/06/22/Cisco-UCS-networking-best-practices/
Kind regards
Robert
Maybe you are looking for
-
HP Envy 700-214: the HP Envy does support the 750 Ti FTW Evga GTX edition?
As the title suggests, the edition of 750 Ti GTX FTW Evga does support my office? I am currently engraged by the integrated graphics card because I can't run games on the settings I want and instead I have to stay with the lowest settings. I don't kn
-
I am trying to add itunes to an old computer for my kids. It has the windows xp operating system. When I try to install itunes, I get an error message that says: I'm having problems with my windows installer. I don't have an existing copy of itunes
-
Hard drive full 1 (305) for HP dv6tse CTO 3000
I understand that I need to replace my hard drive, but wanted to know that, does my laptop Model(Product I'D VX067AV) SSD SATA II disks supported? I plan to replace my HDD with a Kingston SSDNow V 64 GB 100, also can you please give me a detailed gui
-
U2713HM, Radeon HD7870, max resolution?
I'm considering the purchase of this monitor, but with all the talk about HDMI not support resolution max, I wonder if my video card is able to get up to the maximum resolution I have a DVI port, but I don't know if it's double or not. I have a GIGA
-
By integrating wireless deployment Active Directory User Group
I'm discovering best practices in deploying a WLAN for users in the environment to cooperate, who uses their company active directory integrated mobile to join the WLAN. I know that this can be done easily using certificates, but I just want to find