[c-nsp] Blocking a Mac address at a router interface

Rodney Dunn rodunn at cisco.com
Thu Sep 23 12:16:01 EDT 2004 

Yep..that's exactly what I was thinking and just tried
it.

It worked.

On Thu, Sep 23, 2004 at 06:06:52PM +0200, Gert Doering wrote:
> Hi,
> 
> interesting approach.  Yes, this might very well work - using the
> bridging code that *can* do MAC ACLs together with the IRB routing.
> 
> Cool :-)
> 
> (CC:ed back to the list, so that the list can also see it)
> 
> gert
> 
> 
> On Thu, Sep 23, 2004 at 10:54:04AM -0500, Seils, Zach wrote:
> > I can't seem to post to the mailing list right now, but here was my
> > response:
> > 
> > -----
> > 
> > You can accomplish this with IRB and a MAC ACL.  Ex:
> > 
> > !
> > bridge irb
> > !
> > !
> > interface Ethernet0
> >  no ip address
> >  bridge-group 1
> >  bridge-group 1 input-address-list 700
> >  bridge-group 1 spanning-disabled
> > !
> > interface BVI1
> >  description ** IP interface tied to Ethernet0 **  ip address 1.1.1.1
> > 255.255.255.0 !
> > no ip http server
> > ip classless
> > !
> > !
> > access-list 700 deny   1111.2222.3333   0000.0000.0000
> > access-list 700 permit 0000.0000.0000   ffff.ffff.ffff
> > !
> > 
> > Zach Seils
> > CCIE #7861
> > Staff Engineer
> > NetSolve, Inc.
> > seils at netsolve.net
> > 
> > ----- 
> > 
> > -----Original Message-----
> > From: cisco-nsp-bounces at puck.nether.net
> > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Gert Doering
> > Sent: Thursday, September 23, 2004 10:47
> > To: Chris Moore - GMD
> > Cc: 'cisco-nsp at puck.nether.net'
> > Subject: Re: [c-nsp] Blocking a Mac address at a router interface
> > 
> > Hi,
> > 
> > On Thu, Sep 23, 2004 at 08:55:49AM -0600, Chris Moore - GMD wrote:
> > > I have a branch office served by a 1721 router. I have a guy there 
> > > with his own laptop that he keeps connecting to the network against 
> > > company policy, changing his IP to evade filters. I know, we should 
> > > just fire the guy, but company politics, not my decision, 
> > > etc,etc.......Anyhoo, how can I block his mac at the 1721's Ethernet 
> > > interface? Unfortunately the cheapo switch in place fails to provide
> > adequate port security.
> > 
> > I've had that problem in the past (hosting customer being hacked, and
> > (ab-)using lots of IP addresses that don't belong to that server).
> > 
> > I have not been able to find a way to do what you want.
> > 
> > Filtering by MAC address is possible in bridging mode, but does not seem
> > to be possible in IP routing mode (on "router" platforms, at least).
> > 
> > gert
> > --
> > Gert Doering
> > Mobile communications ... right now writing from * RIPE49 @ Manchester *
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> > 
> 
> -- 
> Gert Doering
> Mobile communications ... right now writing from * RIPE49 @ Manchester *
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list