[c-nsp] Blocking a Mac address at a router interface

Matthew Crocker matthew at crocker.com
Thu Sep 23 14:55:53 EDT 2004


Could you plug the customer into a 3550, set the port to no switchport 
and give him a /28 to use.  No free IPs to  steal.  You could also 
police the traffic at the port.

-Matt

On Sep 23, 2004, at 2:07 PM, ken lindahl wrote:

> At 08:47 AM 9/23/2004, Gert Doering wrote:
>> I've had that problem in the past (hosting customer being hacked, and
>> (ab-)using lots of IP addresses that don't belong to that server).
>>
>> I have not been able to find a way to do what you want.
>>
>> Filtering by MAC address is possible in bridging mode, but does not 
>> seem
>> to be possible in IP routing mode (on "router" platforms, at least).
>
> on 7500s, we've been able to do it using CAR:
>
> interface Ethernet4/0/0
> ...
>  rate-limit input access-group rate-limit 100 8000 1500 2000 
> conform-action drop exceed-action drop
>  rate-limit output access-group rate-limit 100 8000 1500 2000 
> conform-action drop exceed-action drop
> ...
> access-list rate-limit 100 0060.08xx.xxxx
>
> ymmv
>
> ken
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>



More information about the cisco-nsp mailing list