Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco 1811 w/12.4(24)T2 - MAC Address Filtering?

Hi,

I have a couple of hosts on a remote network which are infected with a Trojan and various other malware. The hosts themselves are on a DHCP network and I would like to block access from these hosts using a MAC filter.

Is this possible on 12.4(24)T2?

I have another option where I could configure a DHCP process and assign an IP address based on the MAC and essentially black whole the host with an ACL but I'm wondering if there is an easier approach.

Thanks.

1 REPLY
Silver

Re: Cisco 1811 w/12.4(24)T2 - MAC Address Filtering?

Not sure if this is supported on your code/feature set/platform; but it's worth a try:

##################

access-list (standard-ibm)

To establish a MAC address access list, use the access-list command in global configuration mode. To remove access list, use the no form of this command.

access-list access-list-number {permit | deny} address mask

no access-list access-list-number

Syntax Description

access-list-number

Integer from 700 to 799 that you select for the list.

permit

Permits the frame.

deny

Denies the frame.

address mask

48-bit MAC addresses written as a dotted triple of four-digit hexadecimal numbers. The ones bits in the mask argument are the bits to be ignored in address.


Defaults

No MAC address access lists are established.

Command Modes

Global configuration

Command History

Release
Modification

10.0

This command was introduced.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support  in a specific 12.2SX release of this train depends on your feature set,  platform, and platform hardware.


Usage Guidelines

Configuring bridging access lists of type 700 may cause a momentary interruption of traffic flow.

Examples

The following example assumes that you want to disallow the bridging of  Ethernet packets of all Sun workstations on Ethernet interface 1.  Software assumes that all such hosts have Ethernet addresses with the  vendor code 0800.2000.0000. The first line of the access list denies  access to all Sun workstations, and the second line permits everything  else. You then assign the access list to the input side of Ethernet  interface 1.

access-list 700 deny 0800.2000.0000 0000.00FF.FFFF
access-list 700 permit 0000.0000.0000 FFFF.FFFF.FFFF
!
interface ethernet 1
 bridge-group 1 input-address-list 700

Related Commands

Command
Description

access-list (type-code-ibm)

Builds type-code access lists.


772
Views
0
Helpful
1
Replies
CreatePlease login to create content