Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > deny mac-acl on cisco router 25xx

Reply
Thread Tools

deny mac-acl on cisco router 25xx

 
 
david
Guest
Posts: n/a
 
      04-01-2005
hey guys,

i want to deny a user by his own mac address on my router.
I've to replace the acl on my ethernet 0 interface!
what are the ios commands ?
who can show me an example?

thnx 4 all
 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      04-01-2005
In article <(E-Mail Removed) >,
david <(E-Mail Removed)> wrote:
:i want to deny a user by his own mac address on my router.
:I've to replace the acl on my ethernet 0 interface!
:what are the ios commands ?

Traditionally, IOS only allowed MAC acls on interfaces that were
in bridging mode, not in routing mode. I suspect that hasn't changed
on any IOS version you are likely to be able to get for a 25xx router.

MAC acls are allowed on some of the layer 2 and layer 3 switches
(e.g., the Cat3750), and possibly now on some routers (I don't
follow IOS that closely.)

You could check to see if you have 802.1x support on your 25xx IOS...
chances are that you do not though, and that you would find the
overhead too high even if you did.
--
This signature intentionally left... Oh, darn!
 
Reply With Quote
 
 
 
 
Peter
Guest
Posts: n/a
 
      04-02-2005
Hi david,

> i want to deny a user by his own mac address on my router.
> I've to replace the acl on my ethernet 0 interface!
> what are the ios commands ?


I had a recent requirement for this myself, however a MAC ACL needs to
be in the range of 700-799, and you may find that you can't apply a
7xx series ACL to an interface when that interface is in Routing mode,
the interface has to be in Bridging mode to be able to accept a MAC ACL.

Because Bridging an Ethernet interface directly to a slower WAN
interface can be severely performance impacting, the solution I used
on a 2600 was to -
1. Enable intelligent Bridging and Routing (bridge irb) on the Router,
2. Create a BVI,
3. Relocate the Ethernet IP address to the BVI,
4. Bridge the Ethernet interface to the BVI,
6. Apply the MAC ACL to the Ethernet (note the command for this is
slightly different to normal Routed ACL's).

This means the Bridge/Ethernet performance is not limited by any WAN
connection, and you can Route directly off the BVI interface, so you
gain the MAC ACL on the Ethernet and lose nothing, except perhaps a
very small performance loss due to the Bridge, but at least the
Bridging runs at full Ethernet speeds. It worked fine for me.

The only other think that you may need to consider is the platform
performance in doing this. Fortunately I was needing only about 30
Ethernet Ports, but the CPU load did jump up a little bit, still well
within expectations though.

I hope this helps.............pk.
 
Reply With Quote
 
polleke
Guest
Posts: n/a
 
      04-03-2005
On a 2500 series router, it is done like this ...

The topology is a simple switch connected to ethernet 0, having the
networkID 200.0.0.0 / 24
Here i'll block the host called GIGA with ip 200.0.0.120 and MAC
00-10-4b-b4-0f-9d

!
version 12.2
!
bridge irb
!
interface Ethernet0
no ip address
no ip route-cache
no ip mroute-cache
bridge-group 1
no shut
!
interface BVI1
ip address 200.0.0.202 255.255.255.0
!
bridge 1 protocol ieee
bridge 1 route ip
bridge 1 address 0010.4bb4.0f9d discard
!
end

[root@GIGA ~] ping 200.0.0.202
PING 200.0.0.202 (200.0.0.202) 56(84) bytes of data.
64 bytes from 200.0.0.202: icmp_seq=1 ttl=255 time=6.88 ms
64 bytes from 200.0.0.202: icmp_seq=2 ttl=255 time=3.30 ms
64 bytes from 200.0.0.202: icmp_seq=3 ttl=255 time=3.41 ms

--- 200.0.0.202 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2001ms
rtt min/avg/max/mdev = 3.306/4.533/6.880/1.661 ms

[root@GIGA ~] arp -a
? (200.0.0.202) at 00:00:0C:34:A9:F5 [ether] on eth0
? (200.0.0.80) at 00:0E:A6:74:C9:83 [ether] on eth0
? (200.0.0.4) at 00:900:2A:282 [ether] on eth0

[root@GIGA ~] # now blonking the MAC on the 'router' side .....

[root@GIGA ~] ping 200.0.0.202
PING 200.0.0.202 (200.0.0.202) 56(84) bytes of data.
From 200.0.0.120 icmp_seq=9 Destination Host Unreachable
From 200.0.0.120 icmp_seq=10 Destination Host Unreachable
From 200.0.0.120 icmp_seq=11 Destination Host Unreachable

--- 200.0.0.202 ping statistics ---
12 packets transmitted, 0 received, +3 errors, 100% packet loss, time
10998ms
, pipe 3

[root@GIGA ~] arp -a
? (200.0.0.202) at <incomplete> on eth0
? (200.0.0.80) at 00:0E:A6:74:C9:83 [ether] on eth0
? (200.0.0.4) at 00:900:2A:282 [ether] on eth0

you ow me a beer now

"david" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) om...
> hey guys,
>
> i want to deny a user by his own mac address on my router.
> I've to replace the acl on my ethernet 0 interface!
> what are the ios commands ?
> who can show me an example?
>
> thnx 4 all



 
Reply With Quote
 
polleke
Guest
Posts: n/a
 
      04-04-2005
On a 2500 series router, it can be done like this ... (original but less
flexible than using access-expressions + access-list 700..799)

The topology in this example is a simple switch connected to ethernet 0,
having the
networkID 200.0.0.0 / 24
Here i'll block the host called GIGA with ip 200.0.0.120 and MAC
00-10-4b-b4-0f-9d
The router (gateway) has the IP 200.0.0.202 here.

!
version 12.2
!
bridge irb
!
interface Ethernet0
no ip address
no ip route-cache
no ip mroute-cache
bridge-group 1
no shut
!
interface BVI1
ip address 200.0.0.202 255.255.255.0
!
bridge 1 protocol ieee
bridge 1 route ip
bridge 1 address 0010.4bb4.0f9d discard
!
end

[root@GIGA ~] ping 200.0.0.202
PING 200.0.0.202 (200.0.0.202) 56(84) bytes of data.
64 bytes from 200.0.0.202: icmp_seq=1 ttl=255 time=6.88 ms
64 bytes from 200.0.0.202: icmp_seq=2 ttl=255 time=3.30 ms
64 bytes from 200.0.0.202: icmp_seq=3 ttl=255 time=3.41 ms

--- 200.0.0.202 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2001ms
rtt min/avg/max/mdev = 3.306/4.533/6.880/1.661 ms

[root@GIGA ~] arp -a
? (200.0.0.202) at 00:00:0C:34:A9:F5 [ether] on eth0
? (200.0.0.80) at 00:0E:A6:74:C9:83 [ether] on eth0
? (200.0.0.4) at 00:900:2A:282 [ether] on eth0

[root@GIGA ~] # now blonking the MAC on the 'router' side .....

[root@GIGA ~] ping 200.0.0.202
PING 200.0.0.202 (200.0.0.202) 56(84) bytes of data.
From 200.0.0.120 icmp_seq=9 Destination Host Unreachable
From 200.0.0.120 icmp_seq=10 Destination Host Unreachable
From 200.0.0.120 icmp_seq=11 Destination Host Unreachable

--- 200.0.0.202 ping statistics ---
12 packets transmitted, 0 received, +3 errors, 100% packet loss, time
10998ms
, pipe 3

[root@GIGA ~] arp -a
? (200.0.0.202) at <incomplete> on eth0
? (200.0.0.80) at 00:0E:A6:74:C9:83 [ether] on eth0
? (200.0.0.4) at 00:900:2A:282 [ether] on eth0

you ow me a beer now

"david" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) om...
> hey guys,
>
> i want to deny a user by his own mac address on my router.
> I've to replace the acl on my ethernet 0 interface!
> what are the ios commands ?
> who can show me an example?
>
> thnx 4 all




 
Reply With Quote
 
r_balest r_balest is offline
Junior Member
Join Date: Jul 2007
Posts: 5
 
      07-05-2007
@polleke:
Sorry to disturb, I just tried your method. And it works. THanks. Anyway, I want to ask you a favor/question.

What if I want to permit only certain mac Address roaming on my network?
For example:
i have the 192.168.9.0/24 subnet connected to a switch and connect the switch to a 2500 router.
Can i do something about it?

Thanks

EDIT: anyway i've tried creating MAC ACL, but seems that I couldn't apply it on any interface.
 

Last edited by r_balest; 07-05-2007 at 07:50 AM..
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
newbie: allow deny vs deny allow Jeff ASP .Net 2 09-19-2006 02:12 AM
Will this IOS work on all 25xx series routers? evergladesfl@gmail.com Cisco 1 08-21-2006 05:25 PM
Nube Question on 25xx routers xanadude@gmail.com Cisco 1 11-26-2005 03:04 AM
25xx router as NAS server Nabin Cisco 1 06-27-2005 06:29 PM
Re: PC RAM in a Cisco 25xx router? Marko Uuusitalo Cisco 0 03-18-2005 08:45 AM



Advertisments