Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
10796
Views
25
Helpful
24
Replies

Block Mac address

Go to solution
jeevan.koganti
Level 1
Level 1

‎09-05-2012 03:56 AM - edited ‎03-07-2019 08:42 AM

Hi,

I am using cisco 1841 LAN router, I need to block MAC address i have applied the command access-list 1102 deny 0000.0000.0000.0000 mac address..... but it does not work

Can anyone suggest...

Thanks,

Jeevan.                  

Labels:
3 Accepted Solutions

Accepted Solutions

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to jeevan.koganti

‎09-05-2012 07:12 AM

hi,

I suppose your class-map is something like this and that you have a drop action for that class in your policy-map:

class-map xxx

match http host xxxx

if so then just simply do this:

class-map match-any xxxx

match source-address mac xxxx.xxxx.xxxx

match http host xxxx

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

View solution in original post

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to jeevan.koganti

‎09-05-2012 07:45 AM

Hi,

I would do this:

Let's suppose you want only to permit 2 MAC addresses and deny all others

class-map match-any MACPERMIT

match source-address mac xxxx.xxx.xxxx

match source-address mac xxxx.xxx.xxxx

class-map match-any xxxx

match not class-map MACPERMIT

match http host xxxx

Let us know if it worked.

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

View solution in original post

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to jeevan.koganti

‎09-06-2012 05:08 AM

Hi,

you should have a PDLM file which supports bittorent.

Can you provide the output of sh ip nbar pdlm as well as sh ver | i IOS and sh flash:

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

View solution in original post

24 Replies 24

Go to solution
cadet alain
VIP Alumni
VIP Alumni

‎09-05-2012 04:15 AM

Hi,

Normally there shouldn't be any source MAC of all zeroes except in some particular situations.

which number of MAC addresses  do you want to block ?

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Go to solution
jeevan.koganti
Level 1
Level 1
In response to cadet alain

‎09-05-2012 04:31 AM

Hi,

I want to block a single MAC address for testing so i have tried the above command... i could not create without source address....can you give me correct command instead so that i will try that..

Thanks,

Jeevan.

0 Helpful

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to jeevan.koganti

‎09-05-2012 06:47 AM

Hi,

You can use MQC to achieve this:

class-map MACDENIED

match source-address mac xxxx.xxxx.xxxx

policy-map MACDENIED

class MACDENIED

drop

interface x/x

service-policy input MACDENIED

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
0 Helpful

Go to solution
jeevan.koganti
Level 1
Level 1
In response to cadet alain

‎09-05-2012 07:06 AM

Hi,

I have used classmap for blocking websites and applied to interface....can i use another classmap for blocking MAC address and apply to the same interface which i used for blocking websites..

Awaiting for your reply...

Thanks,

Jeevan.

0 Helpful

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to jeevan.koganti

‎09-05-2012 07:12 AM

hi,

I suppose your class-map is something like this and that you have a drop action for that class in your policy-map:

class-map xxx

match http host xxxx

if so then just simply do this:

class-map match-any xxxx

match source-address mac xxxx.xxxx.xxxx

match http host xxxx

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Go to solution
jeevan.koganti
Level 1
Level 1
In response to cadet alain

‎09-05-2012 07:31 AM

Hi,

Thank you so much for your support..it is working now...can you tell me how to permit limited MAC address and block remaininng all from the same router.

Thanks,

Jeevan.

0 Helpful

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to jeevan.koganti

‎09-05-2012 07:45 AM

Hi,

I would do this:

Let's suppose you want only to permit 2 MAC addresses and deny all others

class-map match-any MACPERMIT

match source-address mac xxxx.xxx.xxxx

match source-address mac xxxx.xxx.xxxx

class-map match-any xxxx

match not class-map MACPERMIT

match http host xxxx

Let us know if it worked.

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Go to solution
jeevan.koganti
Level 1
Level 1
In response to cadet alain

‎09-05-2012 07:52 AM

Hi,

Sorry i didnt understand your concept..

If i create a class map for permit mac and apply to one of the interface it will work

or

If i deny a mac in class map and apply to same interface it will work

But both cannot be done at the same time as one interface will not accept two service policies i guess...

Thanks,

Jeevan.

0 Helpful

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to jeevan.koganti

‎09-05-2012 08:29 AM

Hi,

the first class-map permitting 2 MAC addresses is is called as a match not in the second-class-map which is the one applied in the policy-map.

so what it does is drop any MAC address which is not in the first class-map or any http traffic to the hosts configured

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
0 Helpful

Go to solution
jeevan.koganti
Level 1
Level 1
In response to cadet alain

‎09-06-2012 01:53 AM

Hi,

Please guide me how to block voip & SIP & torrents on cisco 1841 router...

Thanks,

Jeevan.

0 Helpful

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to jeevan.koganti

‎09-06-2012 03:38 AM

Hi,

for torrents:

http://slaptijack.com/networking/controlling-peer-to-peer-p2p-traffic-with-cisco-nbar/

You should be able to do the same for SIP with the match protocol. adapt to your existing config.

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
0 Helpful

Go to solution
jeevan.koganti
Level 1
Level 1
In response to cadet alain

‎09-06-2012 04:48 AM

Hi,

I am able to find these in the class-map

match protocol edonkey

match protocol fasttrack

match protocol gnutella

match protocol kazaa2

match protocol sip

match protocol vofr

But bittorrent is not available

Can you let me know how to block any kind of torrent file in 1841 router...

Thanks,

Jeevan.

0 Helpful

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to jeevan.koganti

‎09-06-2012 05:08 AM

Hi,

you should have a PDLM file which supports bittorent.

Can you provide the output of sh ip nbar pdlm as well as sh ver | i IOS and sh flash:

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Go to solution
jeevan.koganti
Level 1
Level 1
In response to cadet alain

‎09-06-2012 05:58 AM

Hi,

Version is 12.4

IOS is c1841-ipbase-mz.124-1c.bin

After issuing sh ip nbar pdlm is not displaying anything

moreover i have issued for blocking all online videos which does not work

match protocol rtcp

match protocol rtp

match protocol rtsp

Thanks,

Jeevan.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card