Re: How to block a particular MAC on Router level?

From: Ye Tian (emaomi@gmail.com)
Date: Thu Apr 05 2007 - 02:23:13 ART

• Next message: lalit gupta: "Virtual Template as a source for multicast RP does not work."
• Previous message: johngibson1541@yahoo.com: "Re: RE: Re: routers don't fragment any packet. End hosts all"
• Maybe in reply to: Joshua: "How to block a particular MAC on Router level?"
• Next in thread: maureen schaar: "Re: How to block a particular MAC on Router level?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Victor,

Thank you for providing solutions.
I still have some questions.
1. The first solution looks like only work for 12000 serial router. My
router is 2821, which does not take this command.
2821(config)#int g0/0.1
2821(config-subif)#mac ?
% Unrecognized command

Also, i tried it on 2600 router, it doesn't work neither.

2. I am sure Solution 2 will work, but i cannot change current
router's configuration and create BVI.

Any idea?

Thanks

On 4/4/07, Victor Cappuccio <victor@ccbootcamp.com> wrote:
>
> Or!!!
> better yet!!
>
> Welcome to Network Learning Inc RS/Security/SP Rack#4
> For more information, please visit:
> http://www.ccbootcamp.com/racks/rs-sec-sp-rack-access-faq.pdf
> PLEASE ERASE YOUR CONFIGS AFTER YOU ARE FINISHED!
>
> Username: victor
> Password:
>
> rack4>show user
> Line User Host(s) Idle Location
> 33 tty 33 incoming 00:02:18 sw3
> 66 vty 0 victor R1 00:02:17 70.110.82.179
> * 67 vty 1 victor idle 00:00:00 70.110.82.179
>
> Interface User Mode Idle Peer Address
>
>
> Lab2R1(config)#int f0/0.12
> Lab2R1(config-subif)#exit
> Lab2R1(config)#bridge irb
> Lab2R1(config)#!
> Lab2R1(config)#interface fast 0/0.12
> Lab2R1(config-subif)#no ip address
> Lab2R1(config-subif)#no ip route-cache
> Lab2R1(config-subif)#no ip mroute-cache
> Lab2R1(config-subif)#bridge-group 1
> Lab2R1(config-subif)#no shut
> Lab2R1(config-subif)#interface fast 0/0.13
> Lab2R1(config-subif)#no ip address
> Lab2R1(config-subif)#no ip route-cache
> Lab2R1(config-subif)#no ip mroute-cache
> Lab2R1(config-subif)#bridge-group 1
> Lab2R1(config-subif)#
> Lab2R1(config-subif)#!
> Lab2R1(config-subif)#interface BVI1
> Lab2R1(config-if)#ip address 192.168.1.1 255.255.255.0
> Lab2R1(config-if)#!
> Lab2R1(config-if)#bridge 1 protocol ieee
> Lab2R1(config)#bridge 1 route ip
> Lab2R1(config)#bridge 1 address 1234.1234.1234 discard
> Lab2R1(config)#!
> Lab2R1(config)#
> Lab2R1(config)#
> *Apr 5 03:55:53.315: %LINEPROTO-5-UPDOWN: Line protocol on Interface
> BVI1,
> changed state to up
> Lab2R1(config)#^Z
> Lab2R1#
> Lab2R1#
> *Apr 5 03:55: 55.063: %SYS-5-CONFIG_I: Configured from console by console
> Lab2R1#
> rack9>2
> [Resuming connection 2 to R2 ... ]
> ..
> Lab2R2>
> Lab2R2>
> Lab2R2>en
> Lab2R2#conf ter
> Enter configuration commands, one per line. End with CNTL/Z.
> Lab2R2(config)#int f0/0
> Lab2R2(config-if)#ip add 192.168.1.2 255.255.255.0
> Lab2R2(config-if)#no sh
> Lab2R2(config-if)#
> rack9>R3
> Trying r3 ( 1.1.1.1, 2035)...
> % Connection refused by remote host
>
> rack9>3
> [Resuming connection 3 to R3 ... ]
> .
> Success rate is 0 percent (0/5)
> Lab2R3(config-if)#
> Lab2R3>
> Lab2R3>en
> Lab2R3#conf ter
> Enter configuration commands, one per line. End with CNTL/Z.
> Lab2R3(config)#int f0/0
> Lab2R3(config-if)#ip add 192.168.1.3 255.255.255.0
> Lab2R3(config-if)#no sh
> Lab2R3(config-if)#exit
> Lab2R3(config)#
> rack9>1
> [Resuming connection 1 to R1 ... ]
>
> Lab2R1#ping 192.168.1.3
>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 192.168.1.3, timeout is 2 seconds:
> .!!!!
> Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms
> Lab2R1#ping 192.168.1.2
>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
> .....
> Success rate is 0 percent (0/5)
> Lab2R1#clear arp
> Lab2R1#ping 192.168.1.3
>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 192.168.1.3, timeout is 2 seconds:
> !!!!!
> Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
> Lab2R1#ping 192.168.1.
> Lab2R1#ping 192.168.1.2
>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
> .....
> Success rate is 0 percent (0/5)
> Lab2R1#show run | in discard
> bridge 1 address 1234.1234.1234 discard
> Lab2R1#conf ter
> Enter configuration commands, one per line. End with CNTL/Z.
> Lab2R1(config)#no bridge 1 address 1234.1234.1234 discard
> Lab2R1(config)#do ping 192.168.1.2
>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
> .!!!!
> Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms
> Lab2R1(config)#
> *Apr 5 03:59:03.315: ICMP: echo reply rcvd, src 192.168.1.2, dst
> 192.168.1.1
> *Apr 5 03:59:03.315: ICMP: echo reply rcvd, src 192.168.1.2, dst
> 192.168.1.1
> *Apr 5 03:59:03.319: ICMP: echo reply rcvd, src 192.168.1.2, dst
> 192.168.1.1
> *Apr 5 03:59:03.319: ICMP: echo reply rcvd, src 192.168.1.2, dst
> 192.168.1.1
> Lab2R1(config)#
>
> thanks,
> Victor Cappuccio.-
> Network Learning Inc - A Cisco Sponsored Organization (SO) YES! We take
> Cisco Learning credits!
> victor@ccbootcamp.com
> http://www.ccbootcamp.com (Cisco Training and Rental Racks)
> http://www.ccbootcamp.com/groupstudy.html (groupstudy member discounts!)
> Voice: 702-968-5100
> FAX: 702-446-8012
>
>
>
>
> -----Original Message-----
> From: nobody@groupstudy.com on behalf of Victor Cappuccio
> Sent: Wed 4/4/2007 20:28
> To: Joshua; ccielab@groupstudy.com
> Subject: RE: How to block a particular MAC on Router level?
>
> Hi Joshua
>
> is this what you are looking for?
>
> Router> enable
> Router# configure terminal
> Router(config)# access-list 700 permit 0003.fd1b.8700
> Router(config)# access-list 700 permit 0003.fd1b.8701
> Router(config)# access-list 700 permit 0003.fd1b.8702
> Router(config)# access-list 700 deny any
> Apply MAC ACL to Gigabit Ethernet VLAN subinterface
> Router(config)# interface gigabitethernet 6/0.1
> Router(config -subif)# mac access-group 700 in
> Router(config-subif)# end
>
>
> http://www.cisco.com/en/US/products/sw/iosswrel/ps1829/products_feature_guide
> 09186a00805e8f8c.html
>
> HTH
>
>
> thanks,
> Victor Cappuccio.-
> Network Learning Inc - A Cisco Sponsored Organization (SO) YES! We take
> Cisco Learning credits!
> victor@ccbootcamp.com
> http://www.ccbootcamp.com (Cisco Training and Rental Racks)
> http://www.ccbootcamp.com/groupstudy.html (groupstudy member discounts!)
> Voice: 702-968-5100
> FAX: 702-446-8012
>
>
>
>
> -----Original Message-----
> From: nobody@groupstudy.com on behalf of Joshua
> Sent: Wed 4/4/2007 17:22
> To: ccielab@groupstudy.com
> Subject: How to block a particular MAC on Router level?
>
> I am trying to block a particular MAC address to access Internet. This is
> a router-on-a-stick topology. 5 subinterfaces configured on the router
> gig0/0. I have no access to the attached switch. I wonder is there some
> way
> i can block this MAC address on the router?
>
> Thanks in advance!
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: lalit gupta: "Virtual Template as a source for multicast RP does not work."
• Previous message: johngibson1541@yahoo.com: "Re: RE: Re: routers don't fragment any packet. End hosts all"
• Maybe in reply to: Joshua: "How to block a particular MAC on Router level?"
• Next in thread: maureen schaar: "Re: How to block a particular MAC on Router level?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue May 01 2007 - 08:28:34 ART