[c-nsp] Blocking a Mac address at a router interface
Matthew Crocker
matthew at crocker.com
Thu Sep 23 14:55:53 EDT 2004
Could you plug the customer into a 3550, set the port to no switchport
and give him a /28 to use. No free IPs to steal. You could also
police the traffic at the port.
-Matt
On Sep 23, 2004, at 2:07 PM, ken lindahl wrote:
> At 08:47 AM 9/23/2004, Gert Doering wrote:
>> I've had that problem in the past (hosting customer being hacked, and
>> (ab-)using lots of IP addresses that don't belong to that server).
>>
>> I have not been able to find a way to do what you want.
>>
>> Filtering by MAC address is possible in bridging mode, but does not
>> seem
>> to be possible in IP routing mode (on "router" platforms, at least).
>
> on 7500s, we've been able to do it using CAR:
>
> interface Ethernet4/0/0
> ...
> rate-limit input access-group rate-limit 100 8000 1500 2000
> conform-action drop exceed-action drop
> rate-limit output access-group rate-limit 100 8000 1500 2000
> conform-action drop exceed-action drop
> ...
> access-list rate-limit 100 0060.08xx.xxxx
>
> ymmv
>
> ken
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
More information about the cisco-nsp
mailing list