Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Need to figure out how to block a MAC address

Hello all,

 

I am trying to block a certain MAC address from either getting an IP via DHCP, or if not possible from accessing the network.  I have remote locations with Cisco routers, but not all of them have Cisco switches.  What I am finding is that some people are plugging in their personal laptops and devices to the network.  Since I have caught them and obtained the MAC address from the DHCP bindings, I am wanting to put in some kind of rule to block them.  I have asked them, but they blatantly disregard me.  If I have something in the router, they can't get around that.  I tried to create an access-list 700 to block the mac, but that didn't seem to work.  I have tried this on a Cisco 1841, 1921, and 2901 and it did not work.  Any pointers on how to block a particular MAC address, or a few from doing anything with a Cisco router running the location but without a Cisco Switch is greatly appreciated.

 

Thank you,

 

David

Everyone's tags (1)
2 ACCEPTED SOLUTIONS

Accepted Solutions
Hall of Fame Super Silver

Short of having a full-blown

Short of having a full-blown network access control system like Cisco ISE, it's much easier to do this on your DHCP server but whether or not you can do that depends on the type of server you are using.

Hall of Fame Super Silver

You can't exclude a MAC

You can't exclude a MAC address directly per se on the IOS DHCP server.

You might be able to achieve your goal by giving it a manual binding on an invalid subnet - essentially "black holing" the host.

Link for configuring manual binding.

8 REPLIES
Hall of Fame Super Silver

Short of having a full-blown

Short of having a full-blown network access control system like Cisco ISE, it's much easier to do this on your DHCP server but whether or not you can do that depends on the type of server you are using.

New Member

I'm using the CIsco Router

I'm using the CIsco Router itself as the DHCP server.

Hall of Fame Super Silver

You can't exclude a MAC

You can't exclude a MAC address directly per se on the IOS DHCP server.

You might be able to achieve your goal by giving it a manual binding on an invalid subnet - essentially "black holing" the host.

Link for configuring manual binding.

New Member

That worked.  I didn't even

That worked.  I didn't even think of trying to Black Hole them.   Thank You.

New Member

OK, I tohught it worked but

OK, I thought it worked but it appears to not have.

172.16.101.1        01c8.3a35.21be.28       Infinite                Manual
192.168.15.30       0100.1e0b.8239.cf       Infinite                Manual
192.168.15.31       0010.1f29.db84.0d       Infinite                Manual
192.168.15.150      01c8.3a35.21be.28       Oct 14 2014 01:55 AM    Automatic
192.168.15.151      0100.1f29.db84.0d       Oct 14 2014 12:35 AM    Automatic
192.168.15.152      0100.e0bb.2631.2c       Oct 14 2014 10:21 AM    Automatic

 

I created the black hole of the 172 address, but it still got a working IP address of 192.168.15.150.  How could it still get a valid IP? 

 

Hall of Fame Super Silver

Let him have a 192.168.15.x

Let him have a 192.168.15.x address but blackhole that /32. i.e.:

ip route 192.168.15.150 255.255.255.255 null0

New Member

That did it.  Thank you

That did it.  Thank you Marvin

New Member

c2900-universalk9-mz.SPA.150

c2900-universalk9-mz.SPA.150-1.M1 -

 

 

class-map match-any internal-block
 match source-address mac 1234.1234.1234

 

policy-map block-policy
 class internal-block
   drop

 

 

interface GigabitEthernet0/0
 description LAN interface

service-policy input block-policy

 

 

1915
Views
0
Helpful
8
Replies