[c-nsp] Blocking a Mac address at a router interface

Rodney Dunn rodunn at cisco.com
Thu Sep 23 15:09:16 EDT 2004


Good one..

On Thu, Sep 23, 2004 at 11:07:52AM -0700, ken lindahl wrote:
> At 08:47 AM 9/23/2004, Gert Doering wrote:
> >I've had that problem in the past (hosting customer being hacked, and
> >(ab-)using lots of IP addresses that don't belong to that server).
> >
> >I have not been able to find a way to do what you want.
> >
> >Filtering by MAC address is possible in bridging mode, but does not seem
> >to be possible in IP routing mode (on "router" platforms, at least).
> 
> on 7500s, we've been able to do it using CAR:
> 
> interface Ethernet4/0/0
> ...
>  rate-limit input access-group rate-limit 100 8000 1500 2000 conform-action drop exceed-action drop
>  rate-limit output access-group rate-limit 100 8000 1500 2000 conform-action drop exceed-action drop
> ...
> access-list rate-limit 100 0060.08xx.xxxx
> 
> ymmv
> 
> ken
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


More information about the cisco-nsp mailing list