Re: Block MAC-Address on a 2851 Router?

From: "Peter" <SOMEONE@xxxxxxxxxxxx>
Date: 7 Dec 2007 15:45:58 +1200

Hi Christoph,

is it possible to block a given MAC-address on a 2851 router (IOS 12.4)? If so,
how?

Yes, you can block a MAC on a Router using ACL's, however there are
requirements and side effects that you need to be aware of.....;-) It
all comes down to what device TYPE (Switch, Router, Layer 3 Switch,
etc) you are trying to do this on. I am assuming you are using a Full
Router and not a Layer 3 Switch, where the method is likely to be
different.

A MAC is a Layer 2 construction, so while you can build a MAC ACL
(type 700) you can only APPLY that ACL to an interface that is
operating in Layer 2 mode. By default, all Router ports are Layer 3
ports, and so wont natively take a type 700 ACL. You first need to
drop the interface down to Layer 2 by putting that PORT into BRIDGE
(Layer 2) mode first. The negative thing about BRIDGE mode is that all
segments are then forced to operate at the speed of the slowest
segment, so here you find the use of the BVI (Bridged Virtual
Interface) very useful, allowing you to Route off the MAC ACL
segment....

I needed to add MAC security to a 2600 so I -
1. Defined a Bridge Group.
2. Configured a BVI for that Bridge Group to take the Layer 3
properties for the segment,
3. Then added the Physical interface to that Bridge Group.
4. I then applied the MAC ACL to the PHYSICAL interface. Note that
it uses a special form of the command to add the MAC ACL.

This method allows the use of MAC ACL's but also allows the Bridged
interface to operate at full speed and not the speed of the Bridged
WAN segment (as in my case).

I hope this helps................pk.

--
Peter from Auckland.
.

References:
- Block MAC-Address on a 2851 Router?
  - From: Christoph Gartmann

Prev by Date: Re: Can't Ping From Router
Next by Date: Pix 501 VPN IPsec Configuration
Previous by thread: Block MAC-Address on a 2851 Router?
Next by thread: New Cisco ASA 5505 Appliance Help?
Index(es):
- Date
- Thread

Relevant Pages

Re: Two Netgear WGT624 models will not communicate
... Translate what to the IP layer? ... | dramatically increase the leve of complexity of wireless. ... old 802.11b nameless bridge to work with the WGT624, ... passing on the MAC addresses (cheap nameless bridge might have a limit ...
(alt.internet.wireless)
RE: bridge detection
... A router will use its own MAC address as the source. ... A bridge, therefore, is not an issue. ... But a router or proxy ...
(Security-Basics)
Re: bridging dsl connection?
... > ip address and they took my dsl modem and gave me a router. ... they said that they could turn the router into a bridge and I ... A Router is a Layer 3 device that seperates broadcast and collision domains ...
(comp.os.linux.networking)
Re: bridging dsl connection?
... > ip address and they took my dsl modem and gave me a router. ... they said that they could turn the router into a bridge and I ... A Router is a Layer 3 device that seperates broadcast and collision domains ...
(comp.os.linux.networking)
Re: Sky Broadband + Linux
... The remote device must know the MAC address or it wouldn't be able to send the layer 3 traffic to the right place. ... What you/Whiskers may be thinking of, IIRC is that some isp uses the MAC of their preconfigured router or something derived from it, as your ppp logon user name. ...
(uk.comp.os.linux)