deny mac-acl on cisco router 25xx

Discussion in 'Cisco' started by david, Apr 1, 2005.

  1. david

    david Guest

    hey guys,

    i want to deny a user by his own mac address on my router.
    I've to replace the acl on my ethernet 0 interface!
    what are the ios commands ?
    who can show me an example?

    thnx 4 all
     
    david, Apr 1, 2005
    #1
    1. Advertising

  2. In article <>,
    david <> wrote:
    :i want to deny a user by his own mac address on my router.
    :I've to replace the acl on my ethernet 0 interface!
    :what are the ios commands ?

    Traditionally, IOS only allowed MAC acls on interfaces that were
    in bridging mode, not in routing mode. I suspect that hasn't changed
    on any IOS version you are likely to be able to get for a 25xx router.

    MAC acls are allowed on some of the layer 2 and layer 3 switches
    (e.g., the Cat3750), and possibly now on some routers (I don't
    follow IOS that closely.)

    You could check to see if you have 802.1x support on your 25xx IOS...
    chances are that you do not though, and that you would find the
    overhead too high even if you did.
    --
    This signature intentionally left... Oh, darn!
     
    Walter Roberson, Apr 1, 2005
    #2
    1. Advertising

  3. david

    Peter Guest

    Hi david,

    > i want to deny a user by his own mac address on my router.
    > I've to replace the acl on my ethernet 0 interface!
    > what are the ios commands ?


    I had a recent requirement for this myself, however a MAC ACL needs to
    be in the range of 700-799, and you may find that you can't apply a
    7xx series ACL to an interface when that interface is in Routing mode,
    the interface has to be in Bridging mode to be able to accept a MAC ACL.

    Because Bridging an Ethernet interface directly to a slower WAN
    interface can be severely performance impacting, the solution I used
    on a 2600 was to -
    1. Enable intelligent Bridging and Routing (bridge irb) on the Router,
    2. Create a BVI,
    3. Relocate the Ethernet IP address to the BVI,
    4. Bridge the Ethernet interface to the BVI,
    6. Apply the MAC ACL to the Ethernet (note the command for this is
    slightly different to normal Routed ACL's).

    This means the Bridge/Ethernet performance is not limited by any WAN
    connection, and you can Route directly off the BVI interface, so you
    gain the MAC ACL on the Ethernet and lose nothing, except perhaps a
    very small performance loss due to the Bridge, but at least the
    Bridging runs at full Ethernet speeds. It worked fine for me.

    The only other think that you may need to consider is the platform
    performance in doing this. Fortunately I was needing only about 30
    Ethernet Ports, but the CPU load did jump up a little bit, still well
    within expectations though.

    I hope this helps.............pk.
     
    Peter, Apr 2, 2005
    #3
  4. david

    polleke Guest

    On a 2500 series router, it is done like this ...

    The topology is a simple switch connected to ethernet 0, having the
    networkID 200.0.0.0 / 24
    Here i'll block the host called GIGA with ip 200.0.0.120 and MAC
    00-10-4b-b4-0f-9d

    !
    version 12.2
    !
    bridge irb
    !
    interface Ethernet0
    no ip address
    no ip route-cache
    no ip mroute-cache
    bridge-group 1
    no shut
    !
    interface BVI1
    ip address 200.0.0.202 255.255.255.0
    !
    bridge 1 protocol ieee
    bridge 1 route ip
    bridge 1 address 0010.4bb4.0f9d discard
    !
    end

    [root@GIGA ~] ping 200.0.0.202
    PING 200.0.0.202 (200.0.0.202) 56(84) bytes of data.
    64 bytes from 200.0.0.202: icmp_seq=1 ttl=255 time=6.88 ms
    64 bytes from 200.0.0.202: icmp_seq=2 ttl=255 time=3.30 ms
    64 bytes from 200.0.0.202: icmp_seq=3 ttl=255 time=3.41 ms

    --- 200.0.0.202 ping statistics ---
    3 packets transmitted, 3 received, 0% packet loss, time 2001ms
    rtt min/avg/max/mdev = 3.306/4.533/6.880/1.661 ms

    [root@GIGA ~] arp -a
    ? (200.0.0.202) at 00:00:0C:34:A9:F5 [ether] on eth0
    ? (200.0.0.80) at 00:0E:A6:74:C9:83 [ether] on eth0
    ? (200.0.0.4) at 00:90:D0:2A:28:D2 [ether] on eth0

    [root@GIGA ~] # now blonking the MAC on the 'router' side .....

    [root@GIGA ~] ping 200.0.0.202
    PING 200.0.0.202 (200.0.0.202) 56(84) bytes of data.
    From 200.0.0.120 icmp_seq=9 Destination Host Unreachable
    From 200.0.0.120 icmp_seq=10 Destination Host Unreachable
    From 200.0.0.120 icmp_seq=11 Destination Host Unreachable

    --- 200.0.0.202 ping statistics ---
    12 packets transmitted, 0 received, +3 errors, 100% packet loss, time
    10998ms
    , pipe 3

    [root@GIGA ~] arp -a
    ? (200.0.0.202) at <incomplete> on eth0
    ? (200.0.0.80) at 00:0E:A6:74:C9:83 [ether] on eth0
    ? (200.0.0.4) at 00:90:D0:2A:28:D2 [ether] on eth0

    you ow me a beer now ;-)

    "david" <> wrote in message
    news:...
    > hey guys,
    >
    > i want to deny a user by his own mac address on my router.
    > I've to replace the acl on my ethernet 0 interface!
    > what are the ios commands ?
    > who can show me an example?
    >
    > thnx 4 all
     
    polleke, Apr 3, 2005
    #4
  5. david

    polleke Guest

    On a 2500 series router, it can be done like this ... (original but less
    flexible than using access-expressions + access-list 700..799)

    The topology in this example is a simple switch connected to ethernet 0,
    having the
    networkID 200.0.0.0 / 24
    Here i'll block the host called GIGA with ip 200.0.0.120 and MAC
    00-10-4b-b4-0f-9d
    The router (gateway) has the IP 200.0.0.202 here.

    !
    version 12.2
    !
    bridge irb
    !
    interface Ethernet0
    no ip address
    no ip route-cache
    no ip mroute-cache
    bridge-group 1
    no shut
    !
    interface BVI1
    ip address 200.0.0.202 255.255.255.0
    !
    bridge 1 protocol ieee
    bridge 1 route ip
    bridge 1 address 0010.4bb4.0f9d discard
    !
    end

    [root@GIGA ~] ping 200.0.0.202
    PING 200.0.0.202 (200.0.0.202) 56(84) bytes of data.
    64 bytes from 200.0.0.202: icmp_seq=1 ttl=255 time=6.88 ms
    64 bytes from 200.0.0.202: icmp_seq=2 ttl=255 time=3.30 ms
    64 bytes from 200.0.0.202: icmp_seq=3 ttl=255 time=3.41 ms

    --- 200.0.0.202 ping statistics ---
    3 packets transmitted, 3 received, 0% packet loss, time 2001ms
    rtt min/avg/max/mdev = 3.306/4.533/6.880/1.661 ms

    [root@GIGA ~] arp -a
    ? (200.0.0.202) at 00:00:0C:34:A9:F5 [ether] on eth0
    ? (200.0.0.80) at 00:0E:A6:74:C9:83 [ether] on eth0
    ? (200.0.0.4) at 00:90:D0:2A:28:D2 [ether] on eth0

    [root@GIGA ~] # now blonking the MAC on the 'router' side .....

    [root@GIGA ~] ping 200.0.0.202
    PING 200.0.0.202 (200.0.0.202) 56(84) bytes of data.
    From 200.0.0.120 icmp_seq=9 Destination Host Unreachable
    From 200.0.0.120 icmp_seq=10 Destination Host Unreachable
    From 200.0.0.120 icmp_seq=11 Destination Host Unreachable

    --- 200.0.0.202 ping statistics ---
    12 packets transmitted, 0 received, +3 errors, 100% packet loss, time
    10998ms
    , pipe 3

    [root@GIGA ~] arp -a
    ? (200.0.0.202) at <incomplete> on eth0
    ? (200.0.0.80) at 00:0E:A6:74:C9:83 [ether] on eth0
    ? (200.0.0.4) at 00:90:D0:2A:28:D2 [ether] on eth0

    you ow me a beer now ;-)

    "david" <> wrote in message
    news:...
    > hey guys,
    >
    > i want to deny a user by his own mac address on my router.
    > I've to replace the acl on my ethernet 0 interface!
    > what are the ios commands ?
    > who can show me an example?
    >
    > thnx 4 all
     
    polleke, Apr 4, 2005
    #5
  6. david

    r_balest

    Joined:
    Jul 5, 2007
    Messages:
    5
    @polleke:
    Sorry to disturb, I just tried your method. And it works. THanks. Anyway, I want to ask you a favor/question.

    What if I want to permit only certain mac Address roaming on my network?
    For example:
    i have the 192.168.9.0/24 subnet connected to a switch and connect the switch to a 2500 router.
    Can i do something about it?

    Thanks

    EDIT: anyway i've tried creating MAC ACL, but seems that I couldn't apply it on any interface.
     
    Last edited: Jul 5, 2007
    r_balest, Jul 5, 2007
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Jo Knight
    Replies:
    2
    Views:
    9,024
    Jo Knight
    May 31, 2004
  2. caroline brunel
    Replies:
    0
    Views:
    2,450
    caroline brunel
    Dec 9, 2004
  3. Roland Sonder

    PIX ACL deny behaviour

    Roland Sonder, Jan 20, 2005, in forum: Cisco
    Replies:
    1
    Views:
    648
    Roland Sonder
    Jan 21, 2005
  4. Marko Uuusitalo

    Re: PC RAM in a Cisco 25xx router?

    Marko Uuusitalo, Mar 18, 2005, in forum: Cisco
    Replies:
    0
    Views:
    417
    Marko Uuusitalo
    Mar 18, 2005
  5. Nabin

    25xx router as NAS server

    Nabin, Jun 25, 2005, in forum: Cisco
    Replies:
    1
    Views:
    509
    Aaron Leonard
    Jun 27, 2005
Loading...

Share This Page