From: maureen schaar (maureen.schaar@gmail.com)
Date: Thu Apr 05 2007 - 05:53:52 ART
Drop it with QOS, something like:
policy-map DROP-MAC
class DROP-MAC
drop
class-map match-any DROP-MAC
match source-address mac 0003.fd1b.8700
match source-address mac 0003.fd1b.8701
match source-address mac 0003.fd1b.8702
interface Gi0/1.1
service-policy input DROP-MAC
Maureen
On 4/5/07, Ye Tian <emaomi@gmail.com> wrote:
> Victor,
>
> Thank you for providing solutions.
> I still have some questions.
> 1. The first solution looks like only work for 12000 serial router. My
> router is 2821, which does not take this command.
> 2821(config)#int g0/0.1
> 2821(config-subif)#mac ?
> % Unrecognized command
>
> Also, i tried it on 2600 router, it doesn't work neither.
>
> 2. I am sure Solution 2 will work, but i cannot change current
> router's configuration and create BVI.
>
> Any idea?
>
> Thanks
>
> On 4/4/07, Victor Cappuccio <victor@ccbootcamp.com> wrote:
> >
> > Or!!!
> > better yet!!
> >
> > Welcome to Network Learning Inc RS/Security/SP Rack#4
> > For more information, please visit:
> > http://www.ccbootcamp.com/racks/rs-sec-sp-rack-access-faq.pdf
> > PLEASE ERASE YOUR CONFIGS AFTER YOU ARE FINISHED!
> >
> > Username: victor
> > Password:
> >
> > rack4>show user
> > Line User Host(s) Idle Location
> > 33 tty 33 incoming 00:02:18 sw3
> > 66 vty 0 victor R1 00:02:17 70.110.82.179
> > * 67 vty 1 victor idle 00:00:00 70.110.82.179
> >
> > Interface User Mode Idle Peer Address
> >
> >
> > Lab2R1(config)#int f0/0.12
> > Lab2R1(config-subif)#exit
> > Lab2R1(config)#bridge irb
> > Lab2R1(config)#!
> > Lab2R1(config)#interface fast 0/0.12
> > Lab2R1(config-subif)#no ip address
> > Lab2R1(config-subif)#no ip route-cache
> > Lab2R1(config-subif)#no ip mroute-cache
> > Lab2R1(config-subif)#bridge-group 1
> > Lab2R1(config-subif)#no shut
> > Lab2R1(config-subif)#interface fast 0/0.13
> > Lab2R1(config-subif)#no ip address
> > Lab2R1(config-subif)#no ip route-cache
> > Lab2R1(config-subif)#no ip mroute-cache
> > Lab2R1(config-subif)#bridge-group 1
> > Lab2R1(config-subif)#
> > Lab2R1(config-subif)#!
> > Lab2R1(config-subif)#interface BVI1
> > Lab2R1(config-if)#ip address 192.168.1.1 255.255.255.0
> > Lab2R1(config-if)#!
> > Lab2R1(config-if)#bridge 1 protocol ieee
> > Lab2R1(config)#bridge 1 route ip
> > Lab2R1(config)#bridge 1 address 1234.1234.1234 discard
> > Lab2R1(config)#!
> > Lab2R1(config)#
> > Lab2R1(config)#
> > *Apr 5 03:55:53.315: %LINEPROTO-5-UPDOWN: Line protocol on Interface
> > BVI1,
> > changed state to up
> > Lab2R1(config)#^Z
> > Lab2R1#
> > Lab2R1#
> > *Apr 5 03:55: 55.063: %SYS-5-CONFIG_I: Configured from console by console
> > Lab2R1#
> > rack9>2
> > [Resuming connection 2 to R2 ... ]
> > ..
> > Lab2R2>
> > Lab2R2>
> > Lab2R2>en
> > Lab2R2#conf ter
> > Enter configuration commands, one per line. End with CNTL/Z.
> > Lab2R2(config)#int f0/0
> > Lab2R2(config-if)#ip add 192.168.1.2 255.255.255.0
> > Lab2R2(config-if)#no sh
> > Lab2R2(config-if)#
> > rack9>R3
> > Trying r3 ( 1.1.1.1, 2035)...
> > % Connection refused by remote host
> >
> > rack9>3
> > [Resuming connection 3 to R3 ... ]
> > .
> > Success rate is 0 percent (0/5)
> > Lab2R3(config-if)#
> > Lab2R3>
> > Lab2R3>en
> > Lab2R3#conf ter
> > Enter configuration commands, one per line. End with CNTL/Z.
> > Lab2R3(config)#int f0/0
> > Lab2R3(config-if)#ip add 192.168.1.3 255.255.255.0
> > Lab2R3(config-if)#no sh
> > Lab2R3(config-if)#exit
> > Lab2R3(config)#
> > rack9>1
> > [Resuming connection 1 to R1 ... ]
> >
> > Lab2R1#ping 192.168.1.3
> >
> > Type escape sequence to abort.
> > Sending 5, 100-byte ICMP Echos to 192.168.1.3, timeout is 2 seconds:
> > .!!!!
> > Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms
> > Lab2R1#ping 192.168.1.2
> >
> > Type escape sequence to abort.
> > Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
> > .....
> > Success rate is 0 percent (0/5)
> > Lab2R1#clear arp
> > Lab2R1#ping 192.168.1.3
> >
> > Type escape sequence to abort.
> > Sending 5, 100-byte ICMP Echos to 192.168.1.3, timeout is 2 seconds:
> > !!!!!
> > Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
> > Lab2R1#ping 192.168.1.
> > Lab2R1#ping 192.168.1.2
> >
> > Type escape sequence to abort.
> > Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
> > .....
> > Success rate is 0 percent (0/5)
> > Lab2R1#show run | in discard
> > bridge 1 address 1234.1234.1234 discard
> > Lab2R1#conf ter
> > Enter configuration commands, one per line. End with CNTL/Z.
> > Lab2R1(config)#no bridge 1 address 1234.1234.1234 discard
> > Lab2R1(config)#do ping 192.168.1.2
> >
> > Type escape sequence to abort.
> > Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
> > .!!!!
> > Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms
> > Lab2R1(config)#
> > *Apr 5 03:59:03.315: ICMP: echo reply rcvd, src 192.168.1.2, dst
> > 192.168.1.1
> > *Apr 5 03:59:03.315: ICMP: echo reply rcvd, src 192.168.1.2, dst
> > 192.168.1.1
> > *Apr 5 03:59:03.319: ICMP: echo reply rcvd, src 192.168.1.2, dst
> > 192.168.1.1
> > *Apr 5 03:59:03.319: ICMP: echo reply rcvd, src 192.168.1.2, dst
> > 192.168.1.1
> > Lab2R1(config)#
> >
> > thanks,
> > Victor Cappuccio.-
> > Network Learning Inc - A Cisco Sponsored Organization (SO) YES! We take
> > Cisco Learning credits!
> > victor@ccbootcamp.com
> > http://www.ccbootcamp.com (Cisco Training and Rental Racks)
> > http://www.ccbootcamp.com/groupstudy.html (groupstudy member discounts!)
> > Voice: 702-968-5100
> > FAX: 702-446-8012
> >
> >
> >
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com on behalf of Victor Cappuccio
> > Sent: Wed 4/4/2007 20:28
> > To: Joshua; ccielab@groupstudy.com
> > Subject: RE: How to block a particular MAC on Router level?
> >
> > Hi Joshua
> >
> > is this what you are looking for?
> >
> > Router> enable
> > Router# configure terminal
> > Router(config)# access-list 700 permit 0003.fd1b.8700
> > Router(config)# access-list 700 permit 0003.fd1b.8701
> > Router(config)# access-list 700 permit 0003.fd1b.8702
> > Router(config)# access-list 700 deny any
> > Apply MAC ACL to Gigabit Ethernet VLAN subinterface
> > Router(config)# interface gigabitethernet 6/0.1
> > Router(config -subif)# mac access-group 700 in
> > Router(config-subif)# end
> >
> >
> > http://www.cisco.com/en/US/products/sw/iosswrel/ps1829/products_feature_guide
> > 09186a00805e8f8c.html
> >
> > HTH
> >
> >
> > thanks,
> > Victor Cappuccio.-
> > Network Learning Inc - A Cisco Sponsored Organization (SO) YES! We take
> > Cisco Learning credits!
> > victor@ccbootcamp.com
> > http://www.ccbootcamp.com (Cisco Training and Rental Racks)
> > http://www.ccbootcamp.com/groupstudy.html (groupstudy member discounts!)
> > Voice: 702-968-5100
> > FAX: 702-446-8012
> >
> >
> >
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com on behalf of Joshua
> > Sent: Wed 4/4/2007 17:22
> > To: ccielab@groupstudy.com
> > Subject: How to block a particular MAC on Router level?
> >
> > I am trying to block a particular MAC address to access Internet. This is
> > a router-on-a-stick topology. 5 subinterfaces configured on the router
> > gig0/0. I have no access to the attached switch. I wonder is there some
> > way
> > i can block this MAC address on the router?
> >
> > Thanks in advance!
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Tue May 01 2007 - 08:28:34 ART