Solved: Need to figure out how to block a MAC address

David Lee · ‎10-02-2014

Hello all,

I am trying to block a certain MAC address from either getting an IP via DHCP, or if not possible from accessing the network. I have remote locations with Cisco routers, but not all of them have Cisco switches. What I am finding is that some people are plugging in their personal laptops and devices to the network. Since I have caught them and obtained the MAC address from the DHCP bindings, I am wanting to put in some kind of rule to block them. I have asked them, but they blatantly disregard me. If I have something in the router, they can't get around that. I tried to create an access-list 700 to block the mac, but that didn't seem to work. I have tried this on a Cisco 1841, 1921, and 2901 and it did not work. Any pointers on how to block a particular MAC address, or a few from doing anything with a Cisco router running the location but without a Cisco Switch is greatly appreciated.

Thank you,

David

Marvin Rhoads · ‎10-03-2014

Short of having a full-blown network access control system like Cisco ISE, it's much easier to do this on your DHCP server but whether or not you can do that depends on the type of server you are using.

View solution in original post

Marvin Rhoads · ‎10-05-2014

You can't exclude a MAC address directly per se on the IOS DHCP server.

You might be able to achieve your goal by giving it a manual binding on an invalid subnet - essentially "black holing" the host.

Link for configuring manual binding.

View solution in original post

Marvin Rhoads · ‎10-03-2014

Short of having a full-blown network access control system like Cisco ISE, it's much easier to do this on your DHCP server but whether or not you can do that depends on the type of server you are using.

David Lee · ‎10-04-2014

I'm using the CIsco Router itself as the DHCP server.

Marvin Rhoads · ‎10-05-2014

You can't exclude a MAC address directly per se on the IOS DHCP server.

You might be able to achieve your goal by giving it a manual binding on an invalid subnet - essentially "black holing" the host.

Link for configuring manual binding.

David Lee · ‎10-13-2014

That worked. I didn't even think of trying to Black Hole them. Thank You.

David Lee · ‎10-13-2014

OK, I thought it worked but it appears to not have.

172.16.101.1        01c8.3a35.21be.28       Infinite                Manual
192.168.15.30       0100.1e0b.8239.cf       Infinite                Manual
192.168.15.31       0010.1f29.db84.0d       Infinite                Manual
192.168.15.150      01c8.3a35.21be.28       Oct 14 2014 01:55 AM    Automatic
192.168.15.151      0100.1f29.db84.0d       Oct 14 2014 12:35 AM    Automatic
192.168.15.152      0100.e0bb.2631.2c       Oct 14 2014 10:21 AM    Automatic

I created the black hole of the 172 address, but it still got a working IP address of 192.168.15.150. How could it still get a valid IP?

Marvin Rhoads · ‎10-13-2014

Let him have a 192.168.15.x address but blackhole that /32. i.e.:

ip route 192.168.15.150 255.255.255.255 null0

David Lee · ‎10-15-2014

That did it. Thank you Marvin

wayfaring · ‎04-20-2015

c2900-universalk9-mz.SPA.150-1.M1 -

class-map match-any internal-block
match source-address mac 1234.1234.1234

policy-map block-policy
class internal-block
drop

interface GigabitEthernet0/0
description LAN interface

service-policy input block-policy