Solved: Blocking MAC-Address on Cisco Router

abhishek18689 · ‎08-26-2013

Can anyone tell me how to block a particular mac-address on cisco router 2900 series? There are few pc's in the network which i dont want to get them into the network anyhow. Can anyone help me out with this?

Regards,

Abhishek

InayathUlla Sharieff · ‎08-26-2013

Abhishek,

On a Cisco Catalyst switch you can set it up with several security features - make user authenticate (802.1x) or restrict to only pre-defined MAC address (port-security).

How to setup these features and which are available depend on your switch model. For example 3560 setup steps for those features are covered here:

802.1x

port security

HTH

Regards

Inayath

View solution in original post

InayathUlla Sharieff · ‎08-26-2013

Abhishek,

On a Cisco Catalyst switch you can set it up with several security features - make user authenticate (802.1x) or restrict to only pre-defined MAC address (port-security).

How to setup these features and which are available depend on your switch model. For example 3560 setup steps for those features are covered here:

802.1x

port security

HTH

Regards

Inayath

abhishek18689 · ‎08-26-2013

Inayath,

These i can perform on switches. Are there any commands of blocking mac-address directly from router? Port-security command will run on switches. It wont run on router. Can we block mac-address via access-list command? Is there any way?

Regards,

Abhishek

johnlloyd_13 · ‎08-27-2013

hi,

you can use the bridge-group input-address-list command on your 2900 ISR.

i've checked the command is supported on newer IOS 15.0.

bridge-group input-address-list (15.0M)

see useful link below:

https://www.cisco.com/en/US/docs/ios/bridging/command/reference/br_a1.html#wp1013131

abhi18689 · ‎12-13-2014

Hello,

Finally i am able to block mac-address on router. I have tested it and its working.

class-map match any unwanted-pc's

match source-address mac aaaa.bbbb.cccc

match source-address mac nnnn.jjjj.dddd

match source-address mac oooo.llll.pppp

!

policy-map block

class unwanted-pc's

drop

!

int gi 0/1

description "LAN Interface"

service-policy input block

!

This will block the defined mac-address and allow all other mac-address.

naweedsayedy · ‎01-19-2017

Hi i blocked some mac address's using this CLI command

how to remove added mac address to access the network

class-map match-any UNWANTED-PCs

match source-address mac aaaa.bbbb.cccc

match source-address mac nnnn.jjjj.dddd

match source-address mac oooo.llll.pppp

!

policy-map block

class UNWANTED-PCs

drop

!

int gi 0/1

description "LAN Interface"

service-policy input block

!

help me ...

Karsten Iwen · ‎08-27-2013

With your problem-description

There are few pc's in the network which i dont want to get them into the network anyhow

the strategy of using the router to block them is the wrong way because the PCs are already on the network and the blocking has to be done at the entry-points which are the switches.

But if you want to stop them leaving your network on the router by filtering the MAC, you could also use modified QoS-mechanisms:

class-map match-any UNWANTED-PCs

match source-address mac AAAA.BBBB.CCCC

match source-address mac DDDD.EEEE.FFFF

!

policy-map IN-POLICY

class UNWANTED-PCs

drop

!

int GigabitEthernet0/0

description LAN-Interface

service-policy input IN-POLICY

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

abhi18689 · ‎11-19-2014

Hi,

I have performed the commands as mentioned by you, it works when i have to block only one mac-address from the router. If i have to block multiple mac-address then this qos- mechanism doesn't get work. I have uploaded the attachment also. you can check.

Regards,

Abhishek

Karsten Iwen · ‎11-19-2014

it seems that you have a class map that matches any address above the class-map that should block MAC-addresses. Reorder these two classes and it should work.