[c-nsp] Blocking a Mac address at a router interface

ken lindahl lindahl at uclink.berkeley.edu
Thu Sep 23 14:07:52 EDT 2004


At 08:47 AM 9/23/2004, Gert Doering wrote:
>I've had that problem in the past (hosting customer being hacked, and
>(ab-)using lots of IP addresses that don't belong to that server).
>
>I have not been able to find a way to do what you want.
>
>Filtering by MAC address is possible in bridging mode, but does not seem
>to be possible in IP routing mode (on "router" platforms, at least).

on 7500s, we've been able to do it using CAR:

interface Ethernet4/0/0
...
 rate-limit input access-group rate-limit 100 8000 1500 2000 conform-action drop exceed-action drop
 rate-limit output access-group rate-limit 100 8000 1500 2000 conform-action drop exceed-action drop
...
access-list rate-limit 100 0060.08xx.xxxx

ymmv

ken



More information about the cisco-nsp mailing list