Re: How to block a particular MAC on Router level?

From: Rboussebaa (rboussebaa@hotmail.com)
Date: Thu Apr 05 2007 - 07:13:42 ART

• Next message: Darby Weaver: "RE: Re: routers don't fragment any packet. End hosts all MUST"
• Previous message: maureen schaar: "Re: How to block a particular MAC on Router level?"
• Maybe in reply to: Joshua: "How to block a particular MAC on Router level?"
• Next in thread: Vince Mashburn: "Re: How to block a particular MAC on Router level?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi,

Your router is a layer 3 device and is not really designed to block MAC
addresses, but rather IP addresses, unless you are doing something fancy like
MLS (multi-layer switching).
What you can do use the IP addresses as a filter, or you can use the MAC
address filters of a switch, if you have one that is capable.

rgds,
Boess

----- Original Message -----
From: "maureen schaar" <maureen.schaar@gmail.com>
To: "Ye Tian" <emaomi@gmail.com>
Cc: "Victor Cappuccio" <victor@ccbootcamp.com>; "Joshua"
<joshualixin@gmail.com>; <ccielab@groupstudy.com>
Sent: Thursday, April 05, 2007 10:53 AM
Subject: Re: How to block a particular MAC on Router level?

> Drop it with QOS, something like:
>
> policy-map DROP-MAC
> class DROP-MAC
> drop
>
> class-map match-any DROP-MAC
> match source-address mac 0003.fd1b.8700
> match source-address mac 0003.fd1b.8701
> match source-address mac 0003.fd1b.8702
>
> interface Gi0/1.1
> service-policy input DROP-MAC
>
>
> Maureen
>
> On 4/5/07, Ye Tian <emaomi@gmail.com> wrote:
>> Victor,
>>
>> Thank you for providing solutions.
>> I still have some questions.
>> 1. The first solution looks like only work for 12000 serial router. My
>> router is 2821, which does not take this command.
>> 2821(config)#int g0/0.1
>> 2821(config-subif)#mac ?
>> % Unrecognized command
>>
>> Also, i tried it on 2600 router, it doesn't work neither.
>>
>> 2. I am sure Solution 2 will work, but i cannot change current
>> router's configuration and create BVI.
>>
>> Any idea?
>>
>> Thanks
>>
>> On 4/4/07, Victor Cappuccio <victor@ccbootcamp.com> wrote:
>> >
>> > Or!!!
>> > better yet!!
>> >
>> > Welcome to Network Learning Inc RS/Security/SP Rack#4
>> > For more information, please visit:
>> > http://www.ccbootcamp.com/racks/rs-sec-sp-rack-access-faq.pdf
>> > PLEASE ERASE YOUR CONFIGS AFTER YOU ARE FINISHED!
>> >
>> > Username: victor
>> > Password:
>> >
>> > rack4>show user
>> > Line User Host(s) Idle Location
>> > 33 tty 33 incoming 00:02:18 sw3
>> > 66 vty 0 victor R1 00:02:17 70.110.82.179
>> > * 67 vty 1 victor idle 00:00:00 70.110.82.179
>> >
>> > Interface User Mode Idle Peer Address
>> >
>> >
>> > Lab2R1(config)#int f0/0.12
>> > Lab2R1(config-subif)#exit
>> > Lab2R1(config)#bridge irb
>> > Lab2R1(config)#!
>> > Lab2R1(config)#interface fast 0/0.12
>> > Lab2R1(config-subif)#no ip address
>> > Lab2R1(config-subif)#no ip route-cache
>> > Lab2R1(config-subif)#no ip mroute-cache
>> > Lab2R1(config-subif)#bridge-group 1
>> > Lab2R1(config-subif)#no shut
>> > Lab2R1(config-subif)#interface fast 0/0.13
>> > Lab2R1(config-subif)#no ip address
>> > Lab2R1(config-subif)#no ip route-cache
>> > Lab2R1(config-subif)#no ip mroute-cache
>> > Lab2R1(config-subif)#bridge-group 1
>> > Lab2R1(config-subif)#
>> > Lab2R1(config-subif)#!
>> > Lab2R1(config-subif)#interface BVI1
>> > Lab2R1(config-if)#ip address 192.168.1.1 255.255.255.0
>> > Lab2R1(config-if)#!
>> > Lab2R1(config-if)#bridge 1 protocol ieee
>> > Lab2R1(config)#bridge 1 route ip
>> > Lab2R1(config)#bridge 1 address 1234.1234.1234 discard
>> > Lab2R1(config)#!
>> > Lab2R1(config)#
>> > Lab2R1(config)#
>> > *Apr 5 03:55:53.315: %LINEPROTO-5-UPDOWN: Line protocol on Interface
>> > BVI1,
>> > changed state to up
>> > Lab2R1(config)#^Z
>> > Lab2R1#
>> > Lab2R1#
>> > *Apr 5 03:55: 55.063: %SYS-5-CONFIG_I: Configured from console by
console
>> > Lab2R1#
>> > rack9>2
>> > [Resuming connection 2 to R2 ... ]
>> > ..
>> > Lab2R2>
>> > Lab2R2>
>> > Lab2R2>en
>> > Lab2R2#conf ter
>> > Enter configuration commands, one per line. End with CNTL/Z.
>> > Lab2R2(config)#int f0/0
>> > Lab2R2(config-if)#ip add 192.168.1.2 255.255.255.0
>> > Lab2R2(config-if)#no sh
>> > Lab2R2(config-if)#
>> > rack9>R3
>> > Trying r3 ( 1.1.1.1, 2035)...
>> > % Connection refused by remote host
>> >
>> > rack9>3
>> > [Resuming connection 3 to R3 ... ]
>> > .
>> > Success rate is 0 percent (0/5)
>> > Lab2R3(config-if)#
>> > Lab2R3>
>> > Lab2R3>en
>> > Lab2R3#conf ter
>> > Enter configuration commands, one per line. End with CNTL/Z.
>> > Lab2R3(config)#int f0/0
>> > Lab2R3(config-if)#ip add 192.168.1.3 255.255.255.0
>> > Lab2R3(config-if)#no sh
>> > Lab2R3(config-if)#exit
>> > Lab2R3(config)#
>> > rack9>1
>> > [Resuming connection 1 to R1 ... ]
>> >
>> > Lab2R1#ping 192.168.1.3
>> >
>> > Type escape sequence to abort.
>> > Sending 5, 100-byte ICMP Echos to 192.168.1.3, timeout is 2 seconds:
>> > .!!!!
>> > Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms
>> > Lab2R1#ping 192.168.1.2
>> >
>> > Type escape sequence to abort.
>> > Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
>> > .....
>> > Success rate is 0 percent (0/5)
>> > Lab2R1#clear arp
>> > Lab2R1#ping 192.168.1.3
>> >
>> > Type escape sequence to abort.
>> > Sending 5, 100-byte ICMP Echos to 192.168.1.3, timeout is 2 seconds:
>> > !!!!!
>> > Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
>> > Lab2R1#ping 192.168.1.
>> > Lab2R1#ping 192.168.1.2
>> >
>> > Type escape sequence to abort.
>> > Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
>> > .....
>> > Success rate is 0 percent (0/5)
>> > Lab2R1#show run | in discard
>> > bridge 1 address 1234.1234.1234 discard
>> > Lab2R1#conf ter
>> > Enter configuration commands, one per line. End with CNTL/Z.
>> > Lab2R1(config)#no bridge 1 address 1234.1234.1234 discard
>> > Lab2R1(config)#do ping 192.168.1.2
>> >
>> > Type escape sequence to abort.
>> > Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
>> > .!!!!
>> > Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms
>> > Lab2R1(config)#
>> > *Apr 5 03:59:03.315: ICMP: echo reply rcvd, src 192.168.1.2, dst
>> > 192.168.1.1
>> > *Apr 5 03:59:03.315: ICMP: echo reply rcvd, src 192.168.1.2, dst
>> > 192.168.1.1
>> > *Apr 5 03:59:03.319: ICMP: echo reply rcvd, src 192.168.1.2, dst
>> > 192.168.1.1
>> > *Apr 5 03:59:03.319: ICMP: echo reply rcvd, src 192.168.1.2, dst
>> > 192.168.1.1
>> > Lab2R1(config)#
>> >
>> > thanks,
>> > Victor Cappuccio.-
>> > Network Learning Inc - A Cisco Sponsored Organization (SO) YES! We take
>> > Cisco Learning credits!
>> > victor@ccbootcamp.com
>> > http://www.ccbootcamp.com (Cisco Training and Rental Racks)
>> > http://www.ccbootcamp.com/groupstudy.html (groupstudy member discounts!)
>> > Voice: 702-968-5100
>> > FAX: 702-446-8012
>> >
>> >
>> >
>> >
>> > -----Original Message-----
>> > From: nobody@groupstudy.com on behalf of Victor Cappuccio
>> > Sent: Wed 4/4/2007 20:28
>> > To: Joshua; ccielab@groupstudy.com
>> > Subject: RE: How to block a particular MAC on Router level?
>> >
>> > Hi Joshua
>> >
>> > is this what you are looking for?
>> >
>> > Router> enable
>> > Router# configure terminal
>> > Router(config)# access-list 700 permit 0003.fd1b.8700
>> > Router(config)# access-list 700 permit 0003.fd1b.8701
>> > Router(config)# access-list 700 permit 0003.fd1b.8702
>> > Router(config)# access-list 700 deny any
>> > Apply MAC ACL to Gigabit Ethernet VLAN subinterface
>> > Router(config)# interface gigabitethernet 6/0.1
>> > Router(config -subif)# mac access-group 700 in
>> > Router(config-subif)# end
>> >
>> >
>> >
http://www.cisco.com/en/US/products/sw/iosswrel/ps1829/products_feature_guide
>> > 09186a00805e8f8c.html
>> >
>> > HTH
>> >
>> >
>> > thanks,
>> > Victor Cappuccio.-
>> > Network Learning Inc - A Cisco Sponsored Organization (SO) YES! We take
>> > Cisco Learning credits!
>> > victor@ccbootcamp.com
>> > http://www.ccbootcamp.com (Cisco Training and Rental Racks)
>> > http://www.ccbootcamp.com/groupstudy.html (groupstudy member discounts!)
>> > Voice: 702-968-5100
>> > FAX: 702-446-8012
>> >
>> >
>> >
>> >
>> > -----Original Message-----
>> > From: nobody@groupstudy.com on behalf of Joshua
>> > Sent: Wed 4/4/2007 17:22
>> > To: ccielab@groupstudy.com
>> > Subject: How to block a particular MAC on Router level?
>> >
>> > I am trying to block a particular MAC address to access Internet. This
is
>> > a router-on-a-stick topology. 5 subinterfaces configured on the router
>> > gig0/0. I have no access to the attached switch. I wonder is there some
>> > way
>> > i can block this MAC address on the router?
>> >
>> > Thanks in advance!
>> >
>> > _______________________________________________________________________
>> > Subscription information may be found at:
>> > http://www.groupstudy.com/list/CCIELab.html
>> >
>> > _______________________________________________________________________
>> > Subscription information may be found at:
>> > http://www.groupstudy.com/list/CCIELab.html
>> >
>> > _______________________________________________________________________
>> > Subscription information may be found at:
>> > http://www.groupstudy.com/list/CCIELab.html
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Darby Weaver: "RE: Re: routers don't fragment any packet. End hosts all MUST"
• Previous message: maureen schaar: "Re: How to block a particular MAC on Router level?"
• Maybe in reply to: Joshua: "How to block a particular MAC on Router level?"
• Next in thread: Vince Mashburn: "Re: How to block a particular MAC on Router level?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue May 01 2007 - 08:28:34 ART