From: Edouard Zorrilla (ezorrilla@tsf.com.pe)
Date: Fri Apr 06 2007 - 14:33:49 ART
Could some tell me he topologia so that I can lab it up ?
Regards
----- Original Message -----
From: "Rboussebaa" <rboussebaa@hotmail.com>
To: "maureen schaar" <maureen.schaar@gmail.com>; "Ye Tian"
<emaomi@gmail.com>
Cc: "Victor Cappuccio" <victor@ccbootcamp.com>; "Joshua"
<joshualixin@gmail.com>; <ccielab@groupstudy.com>
Sent: Thursday, April 05, 2007 5:13 AM
Subject: Re: How to block a particular MAC on Router level?
> Hi,
>
> Your router is a layer 3 device and is not really designed to block MAC
> addresses, but rather IP addresses, unless you are doing something fancy
> like
> MLS (multi-layer switching).
> What you can do use the IP addresses as a filter, or you can use the MAC
> address filters of a switch, if you have one that is capable.
>
> rgds,
> Boess
>
>
> ----- Original Message -----
> From: "maureen schaar" <maureen.schaar@gmail.com>
> To: "Ye Tian" <emaomi@gmail.com>
> Cc: "Victor Cappuccio" <victor@ccbootcamp.com>; "Joshua"
> <joshualixin@gmail.com>; <ccielab@groupstudy.com>
> Sent: Thursday, April 05, 2007 10:53 AM
> Subject: Re: How to block a particular MAC on Router level?
>
>
>> Drop it with QOS, something like:
>>
>> policy-map DROP-MAC
>> class DROP-MAC
>> drop
>>
>> class-map match-any DROP-MAC
>> match source-address mac 0003.fd1b.8700
>> match source-address mac 0003.fd1b.8701
>> match source-address mac 0003.fd1b.8702
>>
>> interface Gi0/1.1
>> service-policy input DROP-MAC
>>
>>
>> Maureen
>>
>> On 4/5/07, Ye Tian <emaomi@gmail.com> wrote:
>>> Victor,
>>>
>>> Thank you for providing solutions.
>>> I still have some questions.
>>> 1. The first solution looks like only work for 12000 serial router. My
>>> router is 2821, which does not take this command.
>>> 2821(config)#int g0/0.1
>>> 2821(config-subif)#mac ?
>>> % Unrecognized command
>>>
>>> Also, i tried it on 2600 router, it doesn't work neither.
>>>
>>> 2. I am sure Solution 2 will work, but i cannot change current
>>> router's configuration and create BVI.
>>>
>>> Any idea?
>>>
>>> Thanks
>>>
>>> On 4/4/07, Victor Cappuccio <victor@ccbootcamp.com> wrote:
>>> >
>>> > Or!!!
>>> > better yet!!
>>> >
>>> > Welcome to Network Learning Inc RS/Security/SP Rack#4
>>> > For more information, please visit:
>>> > http://www.ccbootcamp.com/racks/rs-sec-sp-rack-access-faq.pdf
>>> > PLEASE ERASE YOUR CONFIGS AFTER YOU ARE FINISHED!
>>> >
>>> > Username: victor
>>> > Password:
>>> >
>>> > rack4>show user
>>> > Line User Host(s) Idle Location
>>> > 33 tty 33 incoming 00:02:18 sw3
>>> > 66 vty 0 victor R1 00:02:17 70.110.82.179
>>> > * 67 vty 1 victor idle 00:00:00 70.110.82.179
>>> >
>>> > Interface User Mode Idle Peer Address
>>> >
>>> >
>>> > Lab2R1(config)#int f0/0.12
>>> > Lab2R1(config-subif)#exit
>>> > Lab2R1(config)#bridge irb
>>> > Lab2R1(config)#!
>>> > Lab2R1(config)#interface fast 0/0.12
>>> > Lab2R1(config-subif)#no ip address
>>> > Lab2R1(config-subif)#no ip route-cache
>>> > Lab2R1(config-subif)#no ip mroute-cache
>>> > Lab2R1(config-subif)#bridge-group 1
>>> > Lab2R1(config-subif)#no shut
>>> > Lab2R1(config-subif)#interface fast 0/0.13
>>> > Lab2R1(config-subif)#no ip address
>>> > Lab2R1(config-subif)#no ip route-cache
>>> > Lab2R1(config-subif)#no ip mroute-cache
>>> > Lab2R1(config-subif)#bridge-group 1
>>> > Lab2R1(config-subif)#
>>> > Lab2R1(config-subif)#!
>>> > Lab2R1(config-subif)#interface BVI1
>>> > Lab2R1(config-if)#ip address 192.168.1.1 255.255.255.0
>>> > Lab2R1(config-if)#!
>>> > Lab2R1(config-if)#bridge 1 protocol ieee
>>> > Lab2R1(config)#bridge 1 route ip
>>> > Lab2R1(config)#bridge 1 address 1234.1234.1234 discard
>>> > Lab2R1(config)#!
>>> > Lab2R1(config)#
>>> > Lab2R1(config)#
>>> > *Apr 5 03:55:53.315: %LINEPROTO-5-UPDOWN: Line protocol on Interface
>>> > BVI1,
>>> > changed state to up
>>> > Lab2R1(config)#^Z
>>> > Lab2R1#
>>> > Lab2R1#
>>> > *Apr 5 03:55: 55.063: %SYS-5-CONFIG_I: Configured from console by
> console
>>> > Lab2R1#
>>> > rack9>2
>>> > [Resuming connection 2 to R2 ... ]
>>> > ..
>>> > Lab2R2>
>>> > Lab2R2>
>>> > Lab2R2>en
>>> > Lab2R2#conf ter
>>> > Enter configuration commands, one per line. End with CNTL/Z.
>>> > Lab2R2(config)#int f0/0
>>> > Lab2R2(config-if)#ip add 192.168.1.2 255.255.255.0
>>> > Lab2R2(config-if)#no sh
>>> > Lab2R2(config-if)#
>>> > rack9>R3
>>> > Trying r3 ( 1.1.1.1, 2035)...
>>> > % Connection refused by remote host
>>> >
>>> > rack9>3
>>> > [Resuming connection 3 to R3 ... ]
>>> > .
>>> > Success rate is 0 percent (0/5)
>>> > Lab2R3(config-if)#
>>> > Lab2R3>
>>> > Lab2R3>en
>>> > Lab2R3#conf ter
>>> > Enter configuration commands, one per line. End with CNTL/Z.
>>> > Lab2R3(config)#int f0/0
>>> > Lab2R3(config-if)#ip add 192.168.1.3 255.255.255.0
>>> > Lab2R3(config-if)#no sh
>>> > Lab2R3(config-if)#exit
>>> > Lab2R3(config)#
>>> > rack9>1
>>> > [Resuming connection 1 to R1 ... ]
>>> >
>>> > Lab2R1#ping 192.168.1.3
>>> >
>>> > Type escape sequence to abort.
>>> > Sending 5, 100-byte ICMP Echos to 192.168.1.3, timeout is 2 seconds:
>>> > .!!!!
>>> > Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms
>>> > Lab2R1#ping 192.168.1.2
>>> >
>>> > Type escape sequence to abort.
>>> > Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
>>> > .....
>>> > Success rate is 0 percent (0/5)
>>> > Lab2R1#clear arp
>>> > Lab2R1#ping 192.168.1.3
>>> >
>>> > Type escape sequence to abort.
>>> > Sending 5, 100-byte ICMP Echos to 192.168.1.3, timeout is 2 seconds:
>>> > !!!!!
>>> > Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
>>> > Lab2R1#ping 192.168.1.
>>> > Lab2R1#ping 192.168.1.2
>>> >
>>> > Type escape sequence to abort.
>>> > Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
>>> > .....
>>> > Success rate is 0 percent (0/5)
>>> > Lab2R1#show run | in discard
>>> > bridge 1 address 1234.1234.1234 discard
>>> > Lab2R1#conf ter
>>> > Enter configuration commands, one per line. End with CNTL/Z.
>>> > Lab2R1(config)#no bridge 1 address 1234.1234.1234 discard
>>> > Lab2R1(config)#do ping 192.168.1.2
>>> >
>>> > Type escape sequence to abort.
>>> > Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
>>> > .!!!!
>>> > Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms
>>> > Lab2R1(config)#
>>> > *Apr 5 03:59:03.315: ICMP: echo reply rcvd, src 192.168.1.2, dst
>>> > 192.168.1.1
>>> > *Apr 5 03:59:03.315: ICMP: echo reply rcvd, src 192.168.1.2, dst
>>> > 192.168.1.1
>>> > *Apr 5 03:59:03.319: ICMP: echo reply rcvd, src 192.168.1.2, dst
>>> > 192.168.1.1
>>> > *Apr 5 03:59:03.319: ICMP: echo reply rcvd, src 192.168.1.2, dst
>>> > 192.168.1.1
>>> > Lab2R1(config)#
>>> >
>>> > thanks,
>>> > Victor Cappuccio.-
>>> > Network Learning Inc - A Cisco Sponsored Organization (SO) YES! We
>>> > take
>>> > Cisco Learning credits!
>>> > victor@ccbootcamp.com
>>> > http://www.ccbootcamp.com (Cisco Training and Rental Racks)
>>> > http://www.ccbootcamp.com/groupstudy.html (groupstudy member
>>> > discounts!)
>>> > Voice: 702-968-5100
>>> > FAX: 702-446-8012
>>> >
>>> >
>>> >
>>> >
>>> > -----Original Message-----
>>> > From: nobody@groupstudy.com on behalf of Victor Cappuccio
>>> > Sent: Wed 4/4/2007 20:28
>>> > To: Joshua; ccielab@groupstudy.com
>>> > Subject: RE: How to block a particular MAC on Router level?
>>> >
>>> > Hi Joshua
>>> >
>>> > is this what you are looking for?
>>> >
>>> > Router> enable
>>> > Router# configure terminal
>>> > Router(config)# access-list 700 permit 0003.fd1b.8700
>>> > Router(config)# access-list 700 permit 0003.fd1b.8701
>>> > Router(config)# access-list 700 permit 0003.fd1b.8702
>>> > Router(config)# access-list 700 deny any
>>> > Apply MAC ACL to Gigabit Ethernet VLAN subinterface
>>> > Router(config)# interface gigabitethernet 6/0.1
>>> > Router(config -subif)# mac access-group 700 in
>>> > Router(config-subif)# end
>>> >
>>> >
>>> >
> http://www.cisco.com/en/US/products/sw/iosswrel/ps1829/products_feature_guide
>>> > 09186a00805e8f8c.html
>>> >
>>> > HTH
>>> >
>>> >
>>> > thanks,
>>> > Victor Cappuccio.-
>>> > Network Learning Inc - A Cisco Sponsored Organization (SO) YES! We
>>> > take
>>> > Cisco Learning credits!
>>> > victor@ccbootcamp.com
>>> > http://www.ccbootcamp.com (Cisco Training and Rental Racks)
>>> > http://www.ccbootcamp.com/groupstudy.html (groupstudy member
>>> > discounts!)
>>> > Voice: 702-968-5100
>>> > FAX: 702-446-8012
>>> >
>>> >
>>> >
>>> >
>>> > -----Original Message-----
>>> > From: nobody@groupstudy.com on behalf of Joshua
>>> > Sent: Wed 4/4/2007 17:22
>>> > To: ccielab@groupstudy.com
>>> > Subject: How to block a particular MAC on Router level?
>>> >
>>> > I am trying to block a particular MAC address to access Internet. This
> is
>>> > a router-on-a-stick topology. 5 subinterfaces configured on the router
>>> > gig0/0. I have no access to the attached switch. I wonder is there
>>> > some
>>> > way
>>> > i can block this MAC address on the router?
>>> >
>>> > Thanks in advance!
>>> >
>>> > _______________________________________________________________________
>>> > Subscription information may be found at:
>>> > http://www.groupstudy.com/list/CCIELab.html
>>> >
>>> > _______________________________________________________________________
>>> > Subscription information may be found at:
>>> > http://www.groupstudy.com/list/CCIELab.html
>>> >
>>> > _______________________________________________________________________
>>> > Subscription information may be found at:
>>> > http://www.groupstudy.com/list/CCIELab.html
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Tue May 01 2007 - 08:28:35 ART