My brother stays up online until 02:00 (or even later) playing online games, facebook, twitter etc. and then dozes off during his high school classes.
My mother is looking for a router that can apply MAC address time based Access control. My brother is tech savvy enough to bypass an IP based access list. The problem is that my mother doesnt want her devices to be offline during the time that my brother's devices are blocked. So some MAC addresses will be allowed Internet access during a limited time (07:00 until 21:00), and some will have unlimited access. This access control will have to be placed on the outgoing ADSL interface, since my brother sometimes connects wirelessly or sometimes using a wire. I suggested an ISR (Cisco 867VAE) but it is lacking the wireless option and we would like to keep it simple (no extra AP). Another option is the Cisco Small Business Pro SRP 526W, but i don't know whether it supports time-based access lists.

And from my studies, i haven't seen IOS supporting MAC address based access control. My brother is into networking (i explained thoroughly to him the difference between IP addresses, MAC addresses and DHCP), so for as far as i can tell he _will_ bypass simple IP based access controls, and i am confident he can change his laptop's/smartphone's MAC address if that's what it takes for him to get back online.

Does anybody know how to control a competent kid's Internet access?

_________________
Rule #1 when troubleshooting: never give up

First, lets look at the problems you are going to run into.
1. You can not keep someone offline if they are dedicated to get on.
2. MAC filters will only work on the first hop as it is only a layer 2 address. You can not place the MAC filter on the outgoing ADSL interface as it will never see his MAC address (I am sure you knew this).
3. changing his MAC address is incredibly easy to do. If your brother can figure out changing his IP then changing his MAC isn't that much harder.
4. He is your brother, you should be helping him fight the tyranny of the parental units, not helping the enemy.

There is all kinds of parental control software you could use instead. If I had to do it I would probably do this. Of course if he is dedicated he will get around that too.

-Otanx

Yeah, i don't know any time based access lists that can even look at a MAC address. When i was suggesting filtering by MAC address i meant that since the router/switch/AP box (ISR) knows a specific user's MAC address, it would control packets from the specific MAC address. (i can't begin to imagine how). Also, do you know if there are time based MAC address switchport security setting?

Maybe i'll get an ISR and create a small DHCP pool with my parent's devices manually linked to specific IP addresses, and everything else will just get an IP address from another subnet (DHCP pool) which will have a time-based ACL associated with it.

i feel that by switching off my brother's Internet access after 21:00 will actually be helpful for him, not his "enemies"
On a sidenote i am also quite certain that my brother will find something to occupy himself with even with no internet access. (games, TV, going out etc.)

_________________
Rule #1 when troubleshooting: never give up