- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-26-2013 11:10 PM - edited 03-07-2019 03:08 PM
Can anyone tell me how to block a particular mac-address on cisco router 2900 series? There are few pc's in the network which i dont want to get them into the network anyhow. Can anyone help me out with this?
Regards,
Abhishek
Solved! Go to Solution.
- Labels:
-
Other Switching
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-26-2013 11:22 PM
Abhishek,
On a Cisco Catalyst switch you can set it up with several security features - make user authenticate (802.1x) or restrict to only pre-defined MAC address (port-security).
How to setup these features and which are available depend on your switch model. For example 3560 setup steps for those features are covered here:
HTH
Regards
Inayath
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-26-2013 11:22 PM
Abhishek,
On a Cisco Catalyst switch you can set it up with several security features - make user authenticate (802.1x) or restrict to only pre-defined MAC address (port-security).
How to setup these features and which are available depend on your switch model. For example 3560 setup steps for those features are covered here:
HTH
Regards
Inayath
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-26-2013 11:33 PM
Inayath,
These i can perform on switches. Are there any commands of blocking mac-address directly from router? Port-security command will run on switches. It wont run on router. Can we block mac-address via access-list command? Is there any way?
Regards,
Abhishek
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-27-2013 12:08 AM
hi,
you can use the bridge-group input-address-list command on your 2900 ISR.
i've checked the command is supported on newer IOS 15.0.
bridge-group input-address-list (15.0M)
see useful link below:
https://www.cisco.com/en/US/docs/ios/bridging/command/reference/br_a1.html#wp1013131
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-13-2014 10:39 PM
Hello,
Finally i am able to block mac-address on router. I have tested it and its working.
class-map match any unwanted-pc's
match source-address mac aaaa.bbbb.cccc
match source-address mac nnnn.jjjj.dddd
match source-address mac oooo.llll.pppp
!
policy-map block
class unwanted-pc's
drop
!
int gi 0/1
description "LAN Interface"
service-policy input block
!
This will block the defined mac-address and allow all other mac-address.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-19-2017 06:45 AM
Hi i blocked some mac address's using this CLI command
how to remove added mac address to access the network
class-map match-any UNWANTED-PCs
match source-address mac aaaa.bbbb.cccc
match source-address mac nnnn.jjjj.dddd
match source-address mac oooo.llll.pppp
!
policy-map block
class UNWANTED-PCs
drop
!
int gi 0/1
description "LAN Interface"
service-policy input block
!
help me ...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-27-2013 12:25 AM
With your problem-description
There are few pc's in the network which i dont want to get them into the network anyhow
the strategy of using the router to block them is the wrong way because the PCs are already on the network and the blocking has to be done at the entry-points which are the switches.
But if you want to stop them leaving your network on the router by filtering the MAC, you could also use modified QoS-mechanisms:
class-map match-any UNWANTED-PCs
match source-address mac AAAA.BBBB.CCCC
match source-address mac DDDD.EEEE.FFFF
!
policy-map IN-POLICY
class UNWANTED-PCs
drop
!
int GigabitEthernet0/0
description LAN-Interface
service-policy input IN-POLICY
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-19-2014 05:12 AM
Hi,
I have performed the commands as mentioned by you, it works when i have to block only one mac-address from the router. If i have to block multiple mac-address then this qos- mechanism doesn't get work. I have uploaded the attachment also. you can check.
Regards,
Abhishek
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-19-2014 08:31 AM
it seems that you have a class map that matches any address above the class-map that should block MAC-addresses. Reorder these two classes and it should work.
