deny mac-acl on cisco router 25xx

In article , david wrote: :i want to deny a user by his own mac address on my router. :I've to replace the acl on my ethernet 0 interface! :what are the ios commands ?

Traditionally, IOS only allowed MAC acls on interfaces that were in bridging mode, not in routing mode. I suspect that hasn't changed on any IOS version you are likely to be able to get for a 25xx router.

MAC acls are allowed on some of the layer 2 and layer 3 switches (e.g., the Cat3750), and possibly now on some routers (I don't follow IOS that closely.)

You could check to see if you have 802.1x support on your 25xx IOS... chances are that you do not though, and that you would find the overhead too high even if you did.

Hi david,

I had a recent requirement for this myself, however a MAC ACL needs to be in the range of 700-799, and you may find that you can't apply a

7xx series ACL to an interface when that interface is in Routing mode, the interface has to be in Bridging mode to be able to accept a MAC ACL.

Because Bridging an Ethernet interface directly to a slower WAN interface can be severely performance impacting, the solution I used on a 2600 was to - 1. Enable intelligent Bridging and Routing (bridge irb) on the Router, 2. Create a BVI, 3. Relocate the Ethernet IP address to the BVI, 4. Bridge the Ethernet interface to the BVI, 6. Apply the MAC ACL to the Ethernet (note the command for this is slightly different to normal Routed ACL's).

This means the Bridge/Ethernet performance is not limited by any WAN connection, and you can Route directly off the BVI interface, so you gain the MAC ACL on the Ethernet and lose nothing, except perhaps a very small performance loss due to the Bridge, but at least the Bridging runs at full Ethernet speeds. It worked fine for me.

The only other think that you may need to consider is the platform performance in doing this. Fortunately I was needing only about 30 Ethernet Ports, but the CPU load did jump up a little bit, still well within expectations though.

I hope this helps.............pk.

On a 2500 series router, it is done like this ...

The topology is a simple switch connected to ethernet 0, having the networkID 200.0.0.0 / 24 Here i'll block the host called GIGA with ip 200.0.0.120 and MAC

00-10-4b-b4-0f-9d

! version 12.2 ! bridge irb ! interface Ethernet0 no ip address no ip route-cache no ip mroute-cache bridge-group 1 no shut ! interface BVI1 ip address 200.0.0.202 255.255.255.0 ! bridge 1 protocol ieee bridge 1 route ip bridge 1 address 0010.4bb4.0f9d discard ! end

[root@GIGA ~] ping 200.0.0.202 PING 200.0.0.202 (200.0.0.202) 56(84) bytes of data. 64 bytes from 200.0.0.202: icmp_seq=1 ttl=255 time=6.88 ms 64 bytes from 200.0.0.202: icmp_seq=2 ttl=255 time=3.30 ms 64 bytes from 200.0.0.202: icmp_seq=3 ttl=255 time=3.41 ms

--- 200.0.0.202 ping statistics ---

3 packets transmitted, 3 received, 0% packet loss, time 2001ms rtt min/avg/max/mdev = 3.306/4.533/6.880/1.661 ms [root@GIGA ~] arp -a ? (200.0.0.202) at 00:00:0C:34:A9:F5 [ether] on eth0 ? (200.0.0.80) at 00:0E:A6:74:C9:83 [ether] on eth0 ? (200.0.0.4) at 00:90:D0:2A:28:D2 [ether] on eth0 [root@GIGA ~] # now blonking the MAC on the 'router' side ..... [root@GIGA ~] ping 200.0.0.202 PING 200.0.0.202 (200.0.0.202) 56(84) bytes of data. From 200.0.0.120 icmp_seq=9 Destination Host Unreachable From 200.0.0.120 icmp_seq=10 Destination Host Unreachable From 200.0.0.120 icmp_seq=11 Destination Host Unreachable

--- 200.0.0.202 ping statistics ---

12 packets transmitted, 0 received, +3 errors, 100% packet loss, time 10998ms , pipe 3 [root@GIGA ~] arp -a ? (200.0.0.202) at on eth0 ? (200.0.0.80) at 00:0E:A6:74:C9:83 [ether] on eth0 ? (200.0.0.4) at 00:90:D0:2A:28:D2 [ether] on eth0

you ow me a beer now ;-)

On a 2500 series router, it can be done like this ... (original but less flexible than using access-expressions + access-list 700..799)

The topology in this example is a simple switch connected to ethernet 0, having the networkID 200.0.0.0 / 24 Here i'll block the host called GIGA with ip 200.0.0.120 and MAC

00-10-4b-b4-0f-9d The router (gateway) has the IP 200.0.0.202 here.

! version 12.2 ! bridge irb ! interface Ethernet0 no ip address no ip route-cache no ip mroute-cache bridge-group 1 no shut ! interface BVI1 ip address 200.0.0.202 255.255.255.0 ! bridge 1 protocol ieee bridge 1 route ip bridge 1 address 0010.4bb4.0f9d discard ! end

[root@GIGA ~] ping 200.0.0.202 PING 200.0.0.202 (200.0.0.202) 56(84) bytes of data. 64 bytes from 200.0.0.202: icmp_seq=1 ttl=255 time=6.88 ms 64 bytes from 200.0.0.202: icmp_seq=2 ttl=255 time=3.30 ms 64 bytes from 200.0.0.202: icmp_seq=3 ttl=255 time=3.41 ms

--- 200.0.0.202 ping statistics ---

3 packets transmitted, 3 received, 0% packet loss, time 2001ms rtt min/avg/max/mdev = 3.306/4.533/6.880/1.661 ms [root@GIGA ~] arp -a ? (200.0.0.202) at 00:00:0C:34:A9:F5 [ether] on eth0 ? (200.0.0.80) at 00:0E:A6:74:C9:83 [ether] on eth0 ? (200.0.0.4) at 00:90:D0:2A:28:D2 [ether] on eth0 [root@GIGA ~] # now blonking the MAC on the 'router' side ..... [root@GIGA ~] ping 200.0.0.202 PING 200.0.0.202 (200.0.0.202) 56(84) bytes of data. From 200.0.0.120 icmp_seq=9 Destination Host Unreachable From 200.0.0.120 icmp_seq=10 Destination Host Unreachable From 200.0.0.120 icmp_seq=11 Destination Host Unreachable

--- 200.0.0.202 ping statistics ---

12 packets transmitted, 0 received, +3 errors, 100% packet loss, time 10998ms , pipe 3 [root@GIGA ~] arp -a ? (200.0.0.202) at on eth0 ? (200.0.0.80) at 00:0E:A6:74:C9:83 [ether] on eth0 ? (200.0.0.4) at 00:90:D0:2A:28:D2 [ether] on eth0

you ow me a beer now ;-)