[c-nsp] Blocking a Mac address at a router interface
Rodney Dunn
rodunn at cisco.com
Thu Sep 23 12:16:01 EDT 2004
Yep..that's exactly what I was thinking and just tried
it.
It worked.
On Thu, Sep 23, 2004 at 06:06:52PM +0200, Gert Doering wrote:
> Hi,
>
> interesting approach. Yes, this might very well work - using the
> bridging code that *can* do MAC ACLs together with the IRB routing.
>
> Cool :-)
>
> (CC:ed back to the list, so that the list can also see it)
>
> gert
>
>
> On Thu, Sep 23, 2004 at 10:54:04AM -0500, Seils, Zach wrote:
> > I can't seem to post to the mailing list right now, but here was my
> > response:
> >
> > -----
> >
> > You can accomplish this with IRB and a MAC ACL. Ex:
> >
> > !
> > bridge irb
> > !
> > !
> > interface Ethernet0
> > no ip address
> > bridge-group 1
> > bridge-group 1 input-address-list 700
> > bridge-group 1 spanning-disabled
> > !
> > interface BVI1
> > description ** IP interface tied to Ethernet0 ** ip address 1.1.1.1
> > 255.255.255.0 !
> > no ip http server
> > ip classless
> > !
> > !
> > access-list 700 deny 1111.2222.3333 0000.0000.0000
> > access-list 700 permit 0000.0000.0000 ffff.ffff.ffff
> > !
> >
> > Zach Seils
> > CCIE #7861
> > Staff Engineer
> > NetSolve, Inc.
> > seils at netsolve.net
> >
> > -----
> >
> > -----Original Message-----
> > From: cisco-nsp-bounces at puck.nether.net
> > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Gert Doering
> > Sent: Thursday, September 23, 2004 10:47
> > To: Chris Moore - GMD
> > Cc: 'cisco-nsp at puck.nether.net'
> > Subject: Re: [c-nsp] Blocking a Mac address at a router interface
> >
> > Hi,
> >
> > On Thu, Sep 23, 2004 at 08:55:49AM -0600, Chris Moore - GMD wrote:
> > > I have a branch office served by a 1721 router. I have a guy there
> > > with his own laptop that he keeps connecting to the network against
> > > company policy, changing his IP to evade filters. I know, we should
> > > just fire the guy, but company politics, not my decision,
> > > etc,etc.......Anyhoo, how can I block his mac at the 1721's Ethernet
> > > interface? Unfortunately the cheapo switch in place fails to provide
> > adequate port security.
> >
> > I've had that problem in the past (hosting customer being hacked, and
> > (ab-)using lots of IP addresses that don't belong to that server).
> >
> > I have not been able to find a way to do what you want.
> >
> > Filtering by MAC address is possible in bridging mode, but does not seem
> > to be possible in IP routing mode (on "router" platforms, at least).
> >
> > gert
> > --
> > Gert Doering
> > Mobile communications ... right now writing from * RIPE49 @ Manchester *
> > _______________________________________________
> > cisco-nsp mailing list cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
>
> --
> Gert Doering
> Mobile communications ... right now writing from * RIPE49 @ Manchester *
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list