cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8707
Views
10
Helpful
7
Replies

ACL for MAC Address

utawakevou
Level 4
Level 4

I want to block this mac address from my router : 00:50:8b:5d:29:7a

Is there an ACL that I can use to do this

7 Replies 7

paddyxdoyle
Level 6
Level 6

Hi,

access-list 700 deny 0050.8b5d.297a 0000.0000.0000

then on your interface

e.g. fast ethernet 0/1

int fa 0/1

access-group 700 in

Rgds

Paddy

Sorry, i think this only works for bridge groups, you could if you are using DHCP tie the users MAC address to a specific IP and use a normal access-list applied to your VTY lines to block it, although the user could probably get around it by using an (unused) static IP from your scope and a bit of persistance. If you are desperate and the router is local then disable your vty lines and only administer the router via the console port using a username/password that only you know.

The reaseon I want to do this is because I got a 4006 switch whereby all my servers and access routers are connected to. recently I have been receiveing this log message from the 4006 switch:

2004 Aug 12 09:26:33 %SYS-4-P2_WARN: 1/Tag 0 on packet from 00:50:8b:5d:29:7a port 2/2, but port's native vlan is 1

Port 2/2 is where our core router is connected to.

I was going thorough Cisco site and I found out the meaning of this error message.

This message indicates that an 802.1Q tagged packet was received on a nontrunk port. The VLAN derived from the packet tag is different from the native VLAN of the port.

All the switches we have operate on the default VLAN which is 1. We dont have seperate VLAN's.

Also when I try to get the IP of this mac address, I couldnt. Do a show ARP on the router and it doesnt show up.

So what Im planning to do is to a ACL for the mac address.

Hi! Did you ever resolve this problem? Thanks.

I trace it and was coming from one of our wireless link. So what I did is this. I set-up mac-address filter on the 350 wireless bridge to block it.

Sorry, i think this only works for bridge groups, you could if you are using DHCP tie the users MAC address to a specific IP and use a normal access-list applied to your VTY lines to block it, although the user could probably get around it by using an (unused) static IP from your scope and a bit of persistance. If you are desperate and the router is local then disable your vty lines and only administer the router via the console port using a username/password that only you know.

hrmilo
Level 1
Level 1

You cannot create an ACL but you can create a policy map that drop packets from a targeted source mac address.

 

class-map match-any ForbiddenMacList
    match source-address mac AAAA.BBBB.CCCC
    match source-address mac DDDD.EEEE.FFFF

policy-map ForbidMacs
   class ForbiddenMacList
      drop

interface GigabitEthernet0/0
   service-policy input ForbidMacs
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: