Re: Blocking a MAC address at the router
- From: "ETLALAR" <ecralar@xxxxxxxxxxxxxxxxxx>
- Date: Tue, 29 Nov 2005 16:05:40 -0000
Small correction to my previous post:
MAC access-lists 700-799 and 1100-1199 on routers work only on
bridge-groups, not BVI interfaces (with "bridge irb" configured).
One has to have BVI interfaces to route IP, though.
regards
Alex
"ETLALAR" <ecralar@xxxxxxxxxxxxxxxxxx> wrote in message
news:dmhtch$s3b$1@xxxxxxxxxxxxxxxxxxxxxxxxx
> AFAIK, MAC access-lists 700-799 and 1100-1199 on routers work only on BVI
> interfaces (with "bridge irb" configured).
> How about using 802.1x authentication and forcing the switchport into
> "force-unauthorised" state or changing password on RADIUS and then
> requesting client to reauthenticate?
> You have to know the switchport, though.
> Another way of doing that is to change 802.1x reauthentication timeout to
be
> really short (5 mins?) and then You don't have to force client to
> reauthenticate. All You need then is to change password on RADIUS and in 5
> mins max the client will be off-air.
> HTH
> Cheers
> Alex
> --
>
> "DigitalVinyl" <DigitalVinyl@xxxxxxxxxxxx> wrote in message
> news:jtqoo1djarvcqau1ubea18opckihr2m8dr@xxxxxxxxxx
> > ANybody have a simple method for blocking a MAC address or (less
> > effective) an IP address. We don't want to amend ACLs becuase laptop
> > can move from network to network.
> >
> > Basically I'm looking for the simplest method for blocking
> > virus/worm/trojan/spyware infected PCs. We have a honeypot log that
> > tells us the IP address but it is time consuming to track the PC down,
> > both logically on the switches and then dispatching desktop support to
> > track down the person/laptop and fix them.
> >
> > I'd prefer to block the MAC addresses at the three major routing nodes
> > and eliminate their ability to use the network. This would protect us
> > and force them to contact tech services. Our major routing nodes host
> > the routing interfaces on most of the networks. So if I can block the
> > MACs there it will work fairly well. We have too many switches(200+)
> > to do anything there
> >
> >
> > Thanks for any suggestions.
> >
> >
> > DiGiTAL_ViNYL (no email)
>
>
.
- References:
- Blocking a MAC address at the router
- From: DigitalVinyl
- Re: Blocking a MAC address at the router
- From: ETLALAR
- Blocking a MAC address at the router
- Prev by Date: cisco 7206 as (B|N)AS and per-user configuration
- Next by Date: Re: Cisco VPN Client Issues
- Previous by thread: Re: Blocking a MAC address at the router
- Next by thread: Re: Blocking a MAC address at the router
- Index(es):
