Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
9481
Views
10
Helpful
7
Replies

ACL for MAC Address

utawakevou
Level 4
Level 4

‎08-10-2004 06:57 PM - edited ‎02-20-2020 09:25 PM

I want to block this mac address from my router : 00:50:8b:5d:29:7a

Is there an ACL that I can use to do this

Labels:
0 Helpful
7 Replies 7

paddyxdoyle
Level 6
Level 6

‎08-11-2004 04:37 AM

Hi,

access-list 700 deny 0050.8b5d.297a 0000.0000.0000

then on your interface

e.g. fast ethernet 0/1

int fa 0/1

access-group 700 in

Rgds

Paddy

0 Helpful

paddyxdoyle
Level 6
Level 6
In response to paddyxdoyle

‎08-11-2004 05:59 AM

Sorry, i think this only works for bridge groups, you could if you are using DHCP tie the users MAC address to a specific IP and use a normal access-list applied to your VTY lines to block it, although the user could probably get around it by using an (unused) static IP from your scope and a bit of persistance. If you are desperate and the router is local then disable your vty lines and only administer the router via the console port using a username/password that only you know.

0 Helpful

utawakevou
Level 4
Level 4
In response to paddyxdoyle

‎08-11-2004 01:39 PM

The reaseon I want to do this is because I got a 4006 switch whereby all my servers and access routers are connected to. recently I have been receiveing this log message from the 4006 switch:

2004 Aug 12 09:26:33 %SYS-4-P2_WARN: 1/Tag 0 on packet from 00:50:8b:5d:29:7a port 2/2, but port's native vlan is 1

Port 2/2 is where our core router is connected to.

I was going thorough Cisco site and I found out the meaning of this error message.

This message indicates that an 802.1Q tagged packet was received on a nontrunk port. The VLAN derived from the packet tag is different from the native VLAN of the port.

All the switches we have operate on the default VLAN which is 1. We dont have seperate VLAN's.

Also when I try to get the IP of this mac address, I couldnt. Do a show ARP on the router and it doesnt show up.

So what Im planning to do is to a ACL for the mac address.

0 Helpful

axfalk
Level 1
Level 1
In response to utawakevou

‎02-17-2005 08:37 AM

Hi! Did you ever resolve this problem? Thanks.

0 Helpful

utawakevou
Level 4
Level 4
In response to axfalk

‎02-17-2005 01:08 PM

I trace it and was coming from one of our wireless link. So what I did is this. I set-up mac-address filter on the 350 wireless bridge to block it.

0 Helpful

paddyxdoyle
Level 6
Level 6
In response to paddyxdoyle

‎08-11-2004 06:00 AM

Sorry, i think this only works for bridge groups, you could if you are using DHCP tie the users MAC address to a specific IP and use a normal access-list applied to your VTY lines to block it, although the user could probably get around it by using an (unused) static IP from your scope and a bit of persistance. If you are desperate and the router is local then disable your vty lines and only administer the router via the console port using a username/password that only you know.

0 Helpful

hrmilo
Level 1
Level 1

‎09-06-2019 01:27 AM

You cannot create an ACL but you can create a policy map that drop packets from a targeted source mac address.

 

class-map match-any ForbiddenMacList
    match source-address mac AAAA.BBBB.CCCC
    match source-address mac DDDD.EEEE.FFFF

policy-map ForbidMacs
   class ForbiddenMacList
      drop

interface GigabitEthernet0/0
   service-policy input ForbidMacs
Customers Also Viewed These Support Documents