Block MAC-Address on a 2851 Router?


is it possible to block a given MAC-address on a 2851 router (IOS 12.4)? If so, how?

Regards, Christoph Gartmann

Reply to
Christoph Gartmann
Loading thread data ...

Hi Christoph,

Yes, you can block a MAC on a Router using ACL's, however there are requirements and side effects that you need to be aware of.....;-) It all comes down to what device TYPE (Switch, Router, Layer 3 Switch, etc) you are trying to do this on. I am assuming you are using a Full Router and not a Layer 3 Switch, where the method is likely to be different.

A MAC is a Layer 2 construction, so while you can build a MAC ACL (type 700) you can only APPLY that ACL to an interface that is operating in Layer 2 mode. By default, all Router ports are Layer 3 ports, and so wont natively take a type 700 ACL. You first need to drop the interface down to Layer 2 by putting that PORT into BRIDGE (Layer 2) mode first. The negative thing about BRIDGE mode is that all segments are then forced to operate at the speed of the slowest segment, so here you find the use of the BVI (Bridged Virtual Interface) very useful, allowing you to Route off the MAC ACL segment....

I needed to add MAC security to a 2600 so I - 1. Defined a Bridge Group. 2. Configured a BVI for that Bridge Group to take the Layer 3 properties for the segment, 3. Then added the Physical interface to that Bridge Group. 4. I then applied the MAC ACL to the PHYSICAL interface. Note that it uses a special form of the command to add the MAC ACL.

This method allows the use of MAC ACL's but also allows the Bridged interface to operate at full speed and not the speed of the Bridged WAN segment (as in my case).

I hope this

Reply to
Peter Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.