From: Vince Mashburn (cciegroupstudy@gmail.com)
Date: Thu Apr 05 2007 - 13:00:35 ART
Is there some reason that you can't use the IP rather than the MAC since you
are on the router? If you have to use the MAC though, Maureen has a good
solution. Another thing that you might want to look at is creating a static
arp for the mac-address and pointing it to a dead IP address. You could
even create a /32 loopback and point it there. The static arp will take
precedence over the dynamic arp, so you will kill the layer-2 to layer-3
mapping, hence killing connectivity to that device.
On 4/5/07, Rboussebaa <rboussebaa@hotmail.com> wrote:
>
> Hi,
>
> Your router is a layer 3 device and is not really designed to block MAC
> addresses, but rather IP addresses, unless you are doing something fancy
> like
> MLS (multi-layer switching).
> What you can do use the IP addresses as a filter, or you can use the MAC
> address filters of a switch, if you have one that is capable.
>
> rgds,
> Boess
>
>
> ----- Original Message -----
> From: "maureen schaar" <maureen.schaar@gmail.com>
> To: "Ye Tian" <emaomi@gmail.com>
> Cc: "Victor Cappuccio" <victor@ccbootcamp.com>; "Joshua"
> <joshualixin@gmail.com>; <ccielab@groupstudy.com>
> Sent: Thursday, April 05, 2007 10:53 AM
> Subject: Re: How to block a particular MAC on Router level?
>
>
> > Drop it with QOS, something like:
> >
> > policy-map DROP-MAC
> > class DROP-MAC
> > drop
> >
> > class-map match-any DROP-MAC
> > match source-address mac 0003.fd1b.8700
> > match source-address mac 0003.fd1b.8701
> > match source-address mac 0003.fd1b.8702
> >
> > interface Gi0/1.1
> > service-policy input DROP-MAC
> >
> >
> > Maureen
> >
> > On 4/5/07, Ye Tian <emaomi@gmail.com> wrote:
> >> Victor,
> >>
> >> Thank you for providing solutions.
> >> I still have some questions.
> >> 1. The first solution looks like only work for 12000 serial router. My
> >> router is 2821, which does not take this command.
> >> 2821(config)#int g0/0.1
> >> 2821(config-subif)#mac ?
> >> % Unrecognized command
> >>
> >> Also, i tried it on 2600 router, it doesn't work neither.
> >>
> >> 2. I am sure Solution 2 will work, but i cannot change current
> >> router's configuration and create BVI.
> >>
> >> Any idea?
> >>
> >> Thanks
> >>
> >> On 4/4/07, Victor Cappuccio <victor@ccbootcamp.com> wrote:
> >> >
> >> > Or!!!
> >> > better yet!!
> >> >
> >> > Welcome to Network Learning Inc RS/Security/SP Rack#4
> >> > For more information, please visit:
> >> > http://www.ccbootcamp.com/racks/rs-sec-sp-rack-access-faq.pdf
> >> > PLEASE ERASE YOUR CONFIGS AFTER YOU ARE FINISHED!
> >> >
> >> > Username: victor
> >> > Password:
> >> >
> >> > rack4>show user
> >> > Line User Host(s) Idle Location
> >> > 33 tty 33 incoming 00:02:18 sw3
> >> > 66 vty 0 victor R1 00:02:17 70.110.82.179
> >> > * 67 vty 1 victor idle 00:00:00 70.110.82.179
> >> >
> >> > Interface User Mode Idle Peer Address
> >> >
> >> >
> >> > Lab2R1(config)#int f0/0.12
> >> > Lab2R1(config-subif)#exit
> >> > Lab2R1(config)#bridge irb
> >> > Lab2R1(config)#!
> >> > Lab2R1(config)#interface fast 0/0.12
> >> > Lab2R1(config-subif)#no ip address
> >> > Lab2R1(config-subif)#no ip route-cache
> >> > Lab2R1(config-subif)#no ip mroute-cache
> >> > Lab2R1(config-subif)#bridge-group 1
> >> > Lab2R1(config-subif)#no shut
> >> > Lab2R1(config-subif)#interface fast 0/0.13
> >> > Lab2R1(config-subif)#no ip address
> >> > Lab2R1(config-subif)#no ip route-cache
> >> > Lab2R1(config-subif)#no ip mroute-cache
> >> > Lab2R1(config-subif)#bridge-group 1
> >> > Lab2R1(config-subif)#
> >> > Lab2R1(config-subif)#!
> >> > Lab2R1(config-subif)#interface BVI1
> >> > Lab2R1(config-if)#ip address 192.168.1.1 255.255.255.0
> >> > Lab2R1(config-if)#!
> >> > Lab2R1(config-if)#bridge 1 protocol ieee
> >> > Lab2R1(config)#bridge 1 route ip
> >> > Lab2R1(config)#bridge 1 address 1234.1234.1234 discard
> >> > Lab2R1(config)#!
> >> > Lab2R1(config)#
> >> > Lab2R1(config)#
> >> > *Apr 5 03:55:53.315: %LINEPROTO-5-UPDOWN: Line protocol on Interface
> >> > BVI1,
> >> > changed state to up
> >> > Lab2R1(config)#^Z
> >> > Lab2R1#
> >> > Lab2R1#
> >> > *Apr 5 03:55: 55.063: %SYS-5-CONFIG_I: Configured from console by
> console
> >> > Lab2R1#
> >> > rack9>2
> >> > [Resuming connection 2 to R2 ... ]
> >> > ..
> >> > Lab2R2>
> >> > Lab2R2>
> >> > Lab2R2>en
> >> > Lab2R2#conf ter
> >> > Enter configuration commands, one per line. End with CNTL/Z.
> >> > Lab2R2(config)#int f0/0
> >> > Lab2R2(config-if)#ip add 192.168.1.2 255.255.255.0
> >> > Lab2R2(config-if)#no sh
> >> > Lab2R2(config-if)#
> >> > rack9>R3
> >> > Trying r3 ( 1.1.1.1, 2035)...
> >> > % Connection refused by remote host
> >> >
> >> > rack9>3
> >> > [Resuming connection 3 to R3 ... ]
> >> > .
> >> > Success rate is 0 percent (0/5)
> >> > Lab2R3(config-if)#
> >> > Lab2R3>
> >> > Lab2R3>en
> >> > Lab2R3#conf ter
> >> > Enter configuration commands, one per line. End with CNTL/Z.
> >> > Lab2R3(config)#int f0/0
> >> > Lab2R3(config-if)#ip add 192.168.1.3 255.255.255.0
> >> > Lab2R3(config-if)#no sh
> >> > Lab2R3(config-if)#exit
> >> > Lab2R3(config)#
> >> > rack9>1
> >> > [Resuming connection 1 to R1 ... ]
> >> >
> >> > Lab2R1#ping 192.168.1.3
> >> >
> >> > Type escape sequence to abort.
> >> > Sending 5, 100-byte ICMP Echos to 192.168.1.3, timeout is 2 seconds:
> >> > .!!!!
> >> > Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms
> >> > Lab2R1#ping 192.168.1.2
> >> >
> >> > Type escape sequence to abort.
> >> > Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
> >> > .....
> >> > Success rate is 0 percent (0/5)
> >> > Lab2R1#clear arp
> >> > Lab2R1#ping 192.168.1.3
> >> >
> >> > Type escape sequence to abort.
> >> > Sending 5, 100-byte ICMP Echos to 192.168.1.3, timeout is 2 seconds:
> >> > !!!!!
> >> > Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
> >> > Lab2R1#ping 192.168.1.
> >> > Lab2R1#ping 192.168.1.2
> >> >
> >> > Type escape sequence to abort.
> >> > Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
> >> > .....
> >> > Success rate is 0 percent (0/5)
> >> > Lab2R1#show run | in discard
> >> > bridge 1 address 1234.1234.1234 discard
> >> > Lab2R1#conf ter
> >> > Enter configuration commands, one per line. End with CNTL/Z.
> >> > Lab2R1(config)#no bridge 1 address 1234.1234.1234 discard
> >> > Lab2R1(config)#do ping 192.168.1.2
> >> >
> >> > Type escape sequence to abort.
> >> > Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
> >> > .!!!!
> >> > Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms
> >> > Lab2R1(config)#
> >> > *Apr 5 03:59:03.315: ICMP: echo reply rcvd, src 192.168.1.2, dst
> >> > 192.168.1.1
> >> > *Apr 5 03:59:03.315: ICMP: echo reply rcvd, src 192.168.1.2, dst
> >> > 192.168.1.1
> >> > *Apr 5 03:59:03.319: ICMP: echo reply rcvd, src 192.168.1.2, dst
> >> > 192.168.1.1
> >> > *Apr 5 03:59:03.319: ICMP: echo reply rcvd, src 192.168.1.2, dst
> >> > 192.168.1.1
> >> > Lab2R1(config)#
> >> >
> >> > thanks,
> >> > Victor Cappuccio.-
> >> > Network Learning Inc - A Cisco Sponsored Organization (SO) YES! We
> take
> >> > Cisco Learning credits!
> >> > victor@ccbootcamp.com
> >> > http://www.ccbootcamp.com (Cisco Training and Rental Racks)
> >> > http://www.ccbootcamp.com/groupstudy.html (groupstudy member
> discounts!)
> >> > Voice: 702-968-5100
> >> > FAX: 702-446-8012
> >> >
> >> >
> >> >
> >> >
> >> > -----Original Message-----
> >> > From: nobody@groupstudy.com on behalf of Victor Cappuccio
> >> > Sent: Wed 4/4/2007 20:28
> >> > To: Joshua; ccielab@groupstudy.com
> >> > Subject: RE: How to block a particular MAC on Router level?
> >> >
> >> > Hi Joshua
> >> >
> >> > is this what you are looking for?
> >> >
> >> > Router> enable
> >> > Router# configure terminal
> >> > Router(config)# access-list 700 permit 0003.fd1b.8700
> >> > Router(config)# access-list 700 permit 0003.fd1b.8701
> >> > Router(config)# access-list 700 permit 0003.fd1b.8702
> >> > Router(config)# access-list 700 deny any
> >> > Apply MAC ACL to Gigabit Ethernet VLAN subinterface
> >> > Router(config)# interface gigabitethernet 6/0.1
> >> > Router(config -subif)# mac access-group 700 in
> >> > Router(config-subif)# end
> >> >
> >> >
> >> >
>
> http://www.cisco.com/en/US/products/sw/iosswrel/ps1829/products_feature_guide
> >> > 09186a00805e8f8c.html
> >> >
> >> > HTH
> >> >
> >> >
> >> > thanks,
> >> > Victor Cappuccio.-
> >> > Network Learning Inc - A Cisco Sponsored Organization (SO) YES! We
> take
> >> > Cisco Learning credits!
> >> > victor@ccbootcamp.com
> >> > http://www.ccbootcamp.com (Cisco Training and Rental Racks)
> >> > http://www.ccbootcamp.com/groupstudy.html (groupstudy member
> discounts!)
> >> > Voice: 702-968-5100
> >> > FAX: 702-446-8012
> >> >
> >> >
> >> >
> >> >
> >> > -----Original Message-----
> >> > From: nobody@groupstudy.com on behalf of Joshua
> >> > Sent: Wed 4/4/2007 17:22
> >> > To: ccielab@groupstudy.com
> >> > Subject: How to block a particular MAC on Router level?
> >> >
> >> > I am trying to block a particular MAC address to access Internet.
> This
> is
> >> > a router-on-a-stick topology. 5 subinterfaces configured on the
> router
> >> > gig0/0. I have no access to the attached switch. I wonder is there
> some
> >> > way
> >> > i can block this MAC address on the router?
> >> >
> >> > Thanks in advance!
> >> >
> >> >
> _______________________________________________________________________
> >> > Subscription information may be found at:
> >> > http://www.groupstudy.com/list/CCIELab.html
> >> >
> >> >
> _______________________________________________________________________
> >> > Subscription information may be found at:
> >> > http://www.groupstudy.com/list/CCIELab.html
> >> >
> >> >
> _______________________________________________________________________
> >> > Subscription information may be found at:
> >> > http://www.groupstudy.com/list/CCIELab.html
> >>
> >> _______________________________________________________________________
> >> Subscription information may be found at:
> >> http://www.groupstudy.com/list/CCIELab.html
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Tue May 01 2007 - 08:28:34 ART