10-02-2014 06:18 PM - edited 02-21-2020 05:18 AM
Hello all,
I am trying to block a certain MAC address from either getting an IP via DHCP, or if not possible from accessing the network. I have remote locations with Cisco routers, but not all of them have Cisco switches. What I am finding is that some people are plugging in their personal laptops and devices to the network. Since I have caught them and obtained the MAC address from the DHCP bindings, I am wanting to put in some kind of rule to block them. I have asked them, but they blatantly disregard me. If I have something in the router, they can't get around that. I tried to create an access-list 700 to block the mac, but that didn't seem to work. I have tried this on a Cisco 1841, 1921, and 2901 and it did not work. Any pointers on how to block a particular MAC address, or a few from doing anything with a Cisco router running the location but without a Cisco Switch is greatly appreciated.
Thank you,
David
Solved! Go to Solution.
10-03-2014 03:33 PM
Short of having a full-blown network access control system like Cisco ISE, it's much easier to do this on your DHCP server but whether or not you can do that depends on the type of server you are using.
10-05-2014 07:56 AM
You can't exclude a MAC address directly per se on the IOS DHCP server.
You might be able to achieve your goal by giving it a manual binding on an invalid subnet - essentially "black holing" the host.
10-03-2014 03:33 PM
Short of having a full-blown network access control system like Cisco ISE, it's much easier to do this on your DHCP server but whether or not you can do that depends on the type of server you are using.
10-04-2014 06:52 PM
I'm using the CIsco Router itself as the DHCP server.
10-05-2014 07:56 AM
You can't exclude a MAC address directly per se on the IOS DHCP server.
You might be able to achieve your goal by giving it a manual binding on an invalid subnet - essentially "black holing" the host.
10-13-2014 09:17 AM
That worked. I didn't even think of trying to Black Hole them. Thank You.
10-13-2014 09:22 AM
OK, I thought it worked but it appears to not have.
172.16.101.1 01c8.3a35.21be.28 Infinite Manual
192.168.15.30 0100.1e0b.8239.cf Infinite Manual
192.168.15.31 0010.1f29.db84.0d Infinite Manual
192.168.15.150 01c8.3a35.21be.28 Oct 14 2014 01:55 AM Automatic
192.168.15.151 0100.1f29.db84.0d Oct 14 2014 12:35 AM Automatic
192.168.15.152 0100.e0bb.2631.2c Oct 14 2014 10:21 AM Automatic
I created the black hole of the 172 address, but it still got a working IP address of 192.168.15.150. How could it still get a valid IP?
10-13-2014 08:04 PM
Let him have a 192.168.15.x address but blackhole that /32. i.e.:
ip route 192.168.15.150 255.255.255.255 null0
10-15-2014 12:42 PM
That did it. Thank you Marvin
04-20-2015 08:16 AM
c2900-universalk9-mz.SPA.150-1.M1 -
class-map match-any internal-block
match source-address mac 1234.1234.1234
policy-map block-policy
class internal-block
drop
interface GigabitEthernet0/0
description LAN interface
service-policy input block-policy
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide