Tuesday, August 12, 2008

L2 Bridge ACLs on Cisco 800 Series ISRs

So it's obvious from this blog I was never a CCIE.

Hell, I barely passed the CCNA 2.0 exam many years ago (not because my IOS skills were that lacking, it was a bad exam, I tell you)

So had a hell of a time finding the extremely simple way to filter MAC addresses on a bridge interface, such as what I'm using on my 851 at home on my kids subnet. Well it was just my kids subnet until the damn Verizons Westel started acting up so bad with WPA with my Linux boxes lately.

I'm too lazy to do WEP (although it does work) and I've never had any luck with WPA under IOS. And yeah the first thing I did was wipe the web interface from flash.

So I figured how hard could it be. But I couldn't find it anywhere until I ran across a CCIE study guide on bridge filtering. Duh.

851w#sh access-lists 700
Bridge address access list 700
permit 0012.f0xx.xxxx 0000.0000.0000 (23 matches)
permit 001d.7exx.xxxx 0000.0000.0000 (38 matches)
permit 0013.e8xx.xxxx 0000.0000.0000 (1930 matches)
permit 0013.5fxx.xxxx 0000.0000.0000

I learned the hard way there is an implicit deny at the end. And with the 700 series ACLs you don't need to have the 0000.0000.0000

So then you just add "input-address-list 700" to your bridge group and viola!

interface Dot11Radio0.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 input-address-list 700
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding

Completely secure, because like the OpenBSD folks I don't rely on security at Layer 2 or 3. It's all in the OS and applications.

And I didn't try it (enough for one night, my reading glasses are already on) but I'm guessing I could do masks as well so I could filter out Apple or Dell MAC addresses and only allow Intel Wireless client adapters.

Now that would be really secure!

No comments: