topic I'm using the CIsco Router in Network Security

Need to figure out how to block a MAC address

David Lee — Fri, 21 Feb 2020 13:18:02 GMT

Hello all,

I am trying to block a certain MAC address from either getting an IP via DHCP, or if not possible from accessing the network. I have remote locations with Cisco routers, but not all of them have Cisco switches. What I am finding is that some people are plugging in their personal laptops and devices to the network. Since I have caught them and obtained the MAC address from the DHCP bindings, I am wanting to put in some kind of rule to block them. I have asked them, but they blatantly disregard me. If I have something in the router, they can't get around that. I tried to create an access-list 700 to block the mac, but that didn't seem to work. I have tried this on a Cisco 1841, 1921, and 2901 and it did not work. Any pointers on how to block a particular MAC address, or a few from doing anything with a Cisco router running the location but without a Cisco Switch is greatly appreciated.

Thank you,

David

Short of having a full-blown

Marvin Rhoads — Fri, 03 Oct 2014 22:33:23 GMT

Short of having a full-blown network access control system like Cisco ISE, it's much easier to do this on your DHCP server but whether or not you can do that depends on the type of server you are using.

I'm using the CIsco Router

David Lee — Sun, 05 Oct 2014 01:52:21 GMT

I'm using the CIsco Router itself as the DHCP server.

You can't exclude a MAC

Marvin Rhoads — Sun, 05 Oct 2014 14:56:20 GMT

You can't exclude a MAC address directly per se on the IOS DHCP server.

You might be able to achieve your goal by giving it a manual binding on an invalid subnet - essentially "black holing" the host.

Link for configuring manual binding.

That worked. I didn't even

David Lee — Mon, 13 Oct 2014 16:17:45 GMT

That worked. I didn't even think of trying to Black Hole them. Thank You.

OK, I tohught it worked but

David Lee — Mon, 13 Oct 2014 16:22:41 GMT

OK, I thought it worked but it appears to not have.

172.16.101.1        01c8.3a35.21be.28       Infinite                Manual
192.168.15.30       0100.1e0b.8239.cf       Infinite                Manual
192.168.15.31       0010.1f29.db84.0d       Infinite                Manual
192.168.15.150      01c8.3a35.21be.28       Oct 14 2014 01:55 AM    Automatic
192.168.15.151      0100.1f29.db84.0d       Oct 14 2014 12:35 AM    Automatic
192.168.15.152      0100.e0bb.2631.2c       Oct 14 2014 10:21 AM    Automatic

I created the black hole of the 172 address, but it still got a working IP address of 192.168.15.150. How could it still get a valid IP?

Let him have a 192.168.15.x

Marvin Rhoads — Tue, 14 Oct 2014 03:04:16 GMT

Let him have a 192.168.15.x address but blackhole that /32. i.e.:

ip route 192.168.15.150 255.255.255.255 null0

That did it. Thank you

David Lee — Wed, 15 Oct 2014 19:42:35 GMT

That did it. Thank you Marvin

c2900-universalk9-mz.SPA.150

wayfaring — Mon, 20 Apr 2015 15:16:17 GMT

c2900-universalk9-mz.SPA.150-1.M1 -

class-map match-any internal-block
match source-address mac 1234.1234.1234

policy-map block-policy
class internal-block
drop

interface GigabitEthernet0/0
description LAN interface

service-policy input block-policy