Re: Blocking a MAC address at the router

---

• From: DigitalVinyl <DigitalVinyl@xxxxxxxxxxxx>
• Date: Tue, 29 Nov 2005 22:32:36 GMT

---

"ETLALAR" <ecralar@xxxxxxxxxxxxxxxxxx> wrote:

>> No. The only thing I've come up with, which looks like a reaosnable
>> soltuion is mac-address-table static drops.
>>
>> "To block all traffic to or from the configured MAC address in the
>> specified VLAN. "
>>
>> Router(config)# mac-address-table static mac_address vlan vlan_ID drop
>>
>> There is a subset of equal rights VLANs that we could predict a laptop
>> would move to. We could set DROPs on a few vlans and cover most of the
>> networks a MAC might reappear. We could could install these drops on
>> 5 routers and cover most of our main location. I also like that these
>> are not INTERFACE context commands. So when you do a SHOW CONF all the
>> blocks would be displayed together. That makes it easy to audit. And
>> it only involves our routers and relies on no other technologies or
>> devices.
>My 2 cents about this solution:
>1) it is currently supported on 2600, 3600, 3700 and 6000 series only:
>http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cr/hlsw_r/lan_a1h.htm#wp1111023
>Nothing about support for new 2800/3800 series. 3600s are pretty much EOL.
>2) Clever users could change laptop MAC address as well. If You are not
>using dynamic VLANs (based on source MAC address) then no amount of policy
>could prevent them from doing that.
>HTH

Thanks, I didn't even think about the fact that the feature wouldn't
be supported on other hardwares. 4 of the 5 target routers are 6509s.
The fifth is a 5509--have to see about that. Every problem machine on
the internal network has been infected, and not a real hacker doing
port/ip scanning. Most users don't even know what a MAC is, nevermind
that changing it will get around this block.

We're looking to turn our honeypot report around more regularly and
block all infected PCs from generating so much useless traffic. If
they did change their MAC they would show up in the honeypot again and
could be blocked repeatedly.

Thanks.

>Cheers
>Alex
>

DiGiTAL_ViNYL (no email)
.

---

• References:
  • Blocking a MAC address at the router
    • From: DigitalVinyl
  • Re: Blocking a MAC address at the router
    • From: Walter Roberson
  • Re: Blocking a MAC address at the router
    • From: DigitalVinyl
  • Re: Blocking a MAC address at the router
    • From: ETLALAR

• Prev by Date: Re: Cisco VPN Client Issues
• Next by Date: Re: port flapping
• Previous by thread: Re: Blocking a MAC address at the router
• Next by thread: Re: Blocking a MAC address at the router
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: arp-proxy ... The reason why I have to proxy-arp mac between VLANs is that one mac ... a broadcast from the service subnet should appear on all customer VLANs ... > a device on the service network, otherwise customers wouldn't be able to ... (freebsd-net) Re: Blocking a MAC address at the router ... We could set DROPs on a few vlans and cover most of the ... > networks a MAC might reappear. ... > 5 routers and cover most of our main location. ... Clever users could change laptop MAC address as well. ... (comp.dcom.sys.cisco) Re: Bridges ... > The problem is that the current bridge code only considers the MAC ... When VLANs are in use, this is incorrect as ... of good and not-so-good reasons for the same MAC address to appear ... (freebsd-arch) Re: Bridges ... >The problem is that the current bridge code only considers the MAC ... When VLANs are in use, ... >test lab]. ... (freebsd-arch)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

newsgroups.derkeiler.com  > Archive  > Comp  > comp.dcom.sys.cisco  > 2005-11