Blocking MAC addresses

Dale_Bosley · ‎03-20-2006

I just removed a linksys router from my network that was blocking MAC addresses. I have replaced it with a 1720 router. I see how to block Host names and/or ip addresses. Is there a way to block by MAC address. If so could you please include the configs in your response.

Thanks in advance

Dale

tekha · ‎03-20-2006

Sure there is a way.

Here you go: http://www.cisco.com/en/US/products/sw/iosswrel/ps1824/products_command_reference_chapter09186a0080080681.html#xtocid472017

Dale_Bosley · ‎03-20-2006

OK what went wrong.

I grabbed the MAC from the machine I want to block using ipconfig /all and I got this MAC 00-80-ad-81-1a-ee I put in the following command lines

access-list 700 deny 0080.ad81.1aee

access-list 700 permit 0000.0000.0000 FFFF.FFFF.FFFF

interface fa0

bridge-group 1 input-address-list 700

But the computer still has full access.

what did I do wrong

tekha · ‎03-20-2006

Well beats me, I was sure this was the way to go.

Did you make the bridge group? E.g. "bridge 1 protocol ieee".

What does your access-list say, any matches?

Have a go with "bridge-group 1 output" insteed of input. Does that change anything.

Dale_Bosley · ‎03-20-2006

Actually no, I put in the following configs

(config)#access-list 700 deny 0080.ad81.1aee 0000.0000.0000

(config)#bridge 1 protocol ieee

(config-if)bridge-group 1 input-address-list 700

Is there anything missing

thanks for the reply

tekha · ‎03-21-2006

So there are no matches on the access-list?

What IOS are you using?

I think you need a IOS with the words IBM in it or either ENTERPRISE BASE, ENTERPRISE SERVICES or ADVANCED ENTERPRISE SERVICES.

But I'm not 100% sure, because basically I don't do a whole lot af bridging.

Dale_Bosley · ‎03-22-2006

These are the entries for the 4 machines I wish to deny access to. They are in the arp table

Internet 10.6.18.138 6 0080.ad81.1aee ARPA FastEthernet0

Internet 10.6.18.123 1 00c0.f035.96d7 ARPA FastEthernet0

Internet 10.6.18.136 0 0040.f62c.6f90 ARPA FastEthernet0

Internet 10.6.18.135 2 0004.76b9.31ce ARPA FastEthernet0

I don't get it, this should be easy to do, but I can't get it to work. All I need is for it to deny these MACs. Could you show me the configs on how you would block these? Thanks for all your help so far

here is my show version as well\

#sh version

Cisco Internetwork Operating System Software

IOS (tm) C1700 Software (C1700-Y-M), Version 12.2(17d), RELEASE SOFTWARE (fc1)

Compiled Wed 14-Jan-04 17:09 by ccai

Image text-base: 0x800080E0, data-base: 0x80751218

ROM: System Bootstrap, Version 12.0(3)T, RELEASE SOFTWARE (fc1)

uptime is 1 hour, 33 minutes

System returned to ROM by reload

System image file is "flash:c1700-y-mz.122-17d.bin"

cisco 1720 (MPC860) processor (revision 0x601) with 24576K/8192K bytes of memory

.

Processor board ID VMS064803GR (3074855086), with hardware revision 0000

M860 processor: part number 0, mask 32

Bridging software.

X.25 software, Version 3.0.0.

1 FastEthernet/IEEE 802.3 interface(s)

1 Serial network interface(s)

WIC T1-DSU

32K bytes of non-volatile configuration memory.

8192K bytes of processor board System flash (Read/Write)

Configuration register is 0x2102

tekha · ‎03-22-2006

Well I'm as surprised as you are about this.

But I'm not sure that the IP only software that you are using, allows for this feature.

However try and have a go at this insteed:

Interface FastEthernet0

bridge-group 1

!

bridge 1 protocol ieee

bridge 1 address 0080.ad81.1aee discard fastEthernet0

bridge 1 address 00c0.f035.96d7 discard fastEthernet0

bridge 1 address 0040.f62c.6f90 discard fastEthernet0

bridge 1 address 0004.76b9.31ce discard fastEthernet0

But I haven't got a clue if this would work or not.

pciaccio · ‎03-20-2006

You can use Access-Lists. Access-Lists 700-799 are for Layer 2 functions. You can deny mac addresses using an Access-List in the 700 range...Please rate...

Dale_Bosley · ‎03-20-2006

OK what went wrong.

I grabbed the MAC from the machine I want to block using ipconfig /all and I got this MAC 00-80-ad-81-1a-ee I put in the following command lines

access-list 700 deny 0080.ad81.1aee

access-list 700 permit 0000.0000.0000 FFFF.FFFF.FFFF

interface fa0

bridge-group 1 input-address-list 700

But the computer still has full access.

what did I do wrong

vladrac-ccna · ‎03-20-2006

Hello Dale,

Ive never used bridge-group configuration before, so I wont judge those.

But, do you know if its possible to apply the ACL using the command:

(config-if)#mac access-group 700 in

I know its possible on a bigger router.

Please let me know,

Vlad

Dale_Bosley · ‎03-21-2006

Vlad,

Thanks for the info, but unfortunetly it is not an option on my router.

Thanks

Dale

vladrac-ccna · ‎03-21-2006

Well, no problem.

Anyway, did the bridge solution work?

Not sure if this would be an option, but how about setting a CAR and dropping every packets coming from that MAC?

Vlad

Dale_Bosley · ‎03-22-2006

Vlad,

No it didn't and I must be missing something because I tried to block the ip and it still went through. I'm about ready to toss the linksys back online.

What is CAR and how would I set that up? Also her is my show version and the ARP table of the machines I need to block if this helps

#sh version

Cisco Internetwork Operating System Software

IOS (tm) C1700 Software (C1700-Y-M), Version 12.2(17d), RELEASE SOFTWARE (fc1)

Compiled Wed 14-Jan-04 17:09 by ccai

Image text-base: 0x800080E0, data-base: 0x80751218

ROM: System Bootstrap, Version 12.0(3)T, RELEASE SOFTWARE (fc1)

uptime is 1 hour, 33 minutes

System returned to ROM by reload

System image file is "flash:c1700-y-mz.122-17d.bin"

cisco 1720 (MPC860) processor (revision 0x601) with 24576K/8192K bytes of memory

.

Processor board ID VMS064803GR (3074855086), with hardware revision 0000

M860 processor: part number 0, mask 32

Bridging software.

X.25 software, Version 3.0.0.

1 FastEthernet/IEEE 802.3 interface(s)

1 Serial network interface(s)

WIC T1-DSU

32K bytes of non-volatile configuration memory.

8192K bytes of processor board System flash (Read/Write)

Configuration register is 0x2102

Internet 10.6.18.138 6 0080.ad81.1aee ARPA FastEthernet0

Internet 10.6.18.123 1 00c0.f035.96d7 ARPA FastEthernet0

Internet 10.6.18.136 0 0040.f62c.6f90 ARPA FastEthernet0

Internet 10.6.18.135 2 0004.76b9.31ce ARPA FastEthernet0

vladrac-ccna · ‎03-22-2006

Hello Dale,

CAR is a police shapping feature (commited access rate). CAR examines traffic received on an interface or a subset of that traffic selected by access list criteria. It then compares the rate of the traffic to a configured token bucket and takes action based on the result.

You could also use it to throw all packets away too and you can use an ACL that will match the MACs.

the configs would be something like:

access-list rate-limit 100 0080.ad81.1aee

access-list rate-limit 102 00c0.f035.96d7

access-list rate-limit 103 0040.f62c.6f90

access-list rate-limit 104 0004.76b9.31ce

interface fast 0

rate-limit input access-group rate-limit 100 8000 1000 2000 conform-action drop exceed-action drop

rate-limit input access-group rate-limit 101 8000 1000 2000 conform-action drop exceed-action drop

rate-limit input access-group rate-limit 102 8000 1000 2000 conform-action drop exceed-action drop

rate-limit input access-group rate-limit 103 8000 1000 2000 conform-action drop exceed-action drop

Ive never implemented this my self to be honest, but I would like to hear any thoughts on this kind of configs (though far from elegant)

Vlad