[c-nsp] Blocking a Mac address at a router interface

Gert Doering gert at greenie.muc.de
Thu Sep 23 12:06:52 EDT 2004


Hi,

interesting approach.  Yes, this might very well work - using the
bridging code that *can* do MAC ACLs together with the IRB routing.

Cool :-)

(CC:ed back to the list, so that the list can also see it)

gert


On Thu, Sep 23, 2004 at 10:54:04AM -0500, Seils, Zach wrote:
> I can't seem to post to the mailing list right now, but here was my
> response:
> 
> -----
> 
> You can accomplish this with IRB and a MAC ACL.  Ex:
> 
> !
> bridge irb
> !
> !
> interface Ethernet0
>  no ip address
>  bridge-group 1
>  bridge-group 1 input-address-list 700
>  bridge-group 1 spanning-disabled
> !
> interface BVI1
>  description ** IP interface tied to Ethernet0 **  ip address 1.1.1.1
> 255.255.255.0 !
> no ip http server
> ip classless
> !
> !
> access-list 700 deny   1111.2222.3333   0000.0000.0000
> access-list 700 permit 0000.0000.0000   ffff.ffff.ffff
> !
> 
> Zach Seils
> CCIE #7861
> Staff Engineer
> NetSolve, Inc.
> seils at netsolve.net
> 
> ----- 
> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Gert Doering
> Sent: Thursday, September 23, 2004 10:47
> To: Chris Moore - GMD
> Cc: 'cisco-nsp at puck.nether.net'
> Subject: Re: [c-nsp] Blocking a Mac address at a router interface
> 
> Hi,
> 
> On Thu, Sep 23, 2004 at 08:55:49AM -0600, Chris Moore - GMD wrote:
> > I have a branch office served by a 1721 router. I have a guy there 
> > with his own laptop that he keeps connecting to the network against 
> > company policy, changing his IP to evade filters. I know, we should 
> > just fire the guy, but company politics, not my decision, 
> > etc,etc.......Anyhoo, how can I block his mac at the 1721's Ethernet 
> > interface? Unfortunately the cheapo switch in place fails to provide
> adequate port security.
> 
> I've had that problem in the past (hosting customer being hacked, and
> (ab-)using lots of IP addresses that don't belong to that server).
> 
> I have not been able to find a way to do what you want.
> 
> Filtering by MAC address is possible in bridging mode, but does not seem
> to be possible in IP routing mode (on "router" platforms, at least).
> 
> gert
> --
> Gert Doering
> Mobile communications ... right now writing from * RIPE49 @ Manchester *
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 

-- 
Gert Doering
Mobile communications ... right now writing from * RIPE49 @ Manchester *


More information about the cisco-nsp mailing list