Re: Blocking a MAC address at the router

---

• From: "ETLALAR" <ecralar@xxxxxxxxxxxxxxxxxx>
• Date: Tue, 29 Nov 2005 20:49:27 -0000

---

> No. The only thing I've come up with, which looks like a reaosnable
> soltuion is mac-address-table static drops.
>
> "To block all traffic to or from the configured MAC address in the
> specified VLAN. "
>
> Router(config)# mac-address-table static mac_address vlan vlan_ID drop
>
> There is a subset of equal rights VLANs that we could predict a laptop
> would move to. We could set DROPs on a few vlans and cover most of the
> networks a MAC might reappear. We could could install these drops on
> 5 routers and cover most of our main location. I also like that these
> are not INTERFACE context commands. So when you do a SHOW CONF all the
> blocks would be displayed together. That makes it easy to audit. And
> it only involves our routers and relies on no other technologies or
> devices.
My 2 cents about this solution:
1) it is currently supported on 2600, 3600, 3700 and 6000 series only:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cr/hlsw_r/lan_a1h.htm#wp1111023
Nothing about support for new 2800/3800 series. 3600s are pretty much EOL.
2) Clever users could change laptop MAC address as well. If You are not
using dynamic VLANs (based on source MAC address) then no amount of policy
could prevent them from doing that.
HTH
Cheers
Alex


.

---

• Follow-Ups:
  • Re: Blocking a MAC address at the router
    • From: DigitalVinyl

• References:
  • Blocking a MAC address at the router
    • From: DigitalVinyl
  • Re: Blocking a MAC address at the router
    • From: Walter Roberson
  • Re: Blocking a MAC address at the router
    • From: DigitalVinyl

• Prev by Date: Cisco Monitoring Software
• Next by Date: Re: cisco 7206 as (B|N)AS and per-user configuration
• Previous by thread: Re: Blocking a MAC address at the router
• Next by thread: Re: Blocking a MAC address at the router
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: arp-proxy ... The reason why I have to proxy-arp mac between VLANs is that one mac ... a broadcast from the service subnet should appear on all customer VLANs ... > a device on the service network, otherwise customers wouldn't be able to ... (freebsd-net) Re: Blocking a MAC address at the router ... We could set DROPs on a few vlans and cover most of the ... >> networks a MAC might reappear. ... We're looking to turn our honeypot report around more regularly and ... block all infected PCs from generating so much useless traffic. ... (comp.dcom.sys.cisco) Re: Bridges ... > The problem is that the current bridge code only considers the MAC ... When VLANs are in use, this is incorrect as ... of good and not-so-good reasons for the same MAC address to appear ... (freebsd-arch) Re: Bridges ... >The problem is that the current bridge code only considers the MAC ... When VLANs are in use, ... >test lab]. ... (freebsd-arch) RE: Router stops routing after changing MAC Address ... I had a situation 2 weeks ago where a customer connected a system to the ... Bigger routers do it too. ... waited literally hours for the routers to finally purge their ARP caches ... There are not any MAC addresses associated with any ... (Linux-Kernel)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

newsgroups.derkeiler.com  > Archive  > Comp  > comp.dcom.sys.cisco  > 2005-11