Blocking a MAC on the router- Is it possible? 1

[fenstrat]

We have someone causing denial of service attacks on our student network, maybe once a week for about 20 minutes. He is somehow causing ip address conflicts on the network from one mac address. I have the mac address but am unable to find it in any of the switch arp's. Is is possible to block a mac with an acl? Any other ideas?

Thanks

 

[BuckWeet]

What kind of switches? you might be able to do a VACL

but, yes you can do it at the router level

Also, why not track down that MAC address and bust his a$$

show cam dynamic, or show mac-address-table is your friend


BuckWeet

 

[fenstrat]

Cisco 2950c

 

[fenstrat]

Could you show me how I could do this at the router level using an acl?

Thanks

 

[chieftan999]

I believe you have to turn Bridging on for this:-

Maybe along these lines:-

Bridge irb
!
!
Interface Ehternet 0
no ip address
bridge-group 1
bridge-group 1 input-address-list 700
bridge-group 1 spanning-disabled
!
interface BVI1
description ** IP interface tied to Ethernet0 ** ip address 1.1.1.1
255.255.255.0 !
no ip http server
ip classless
!
!
access-list 700 deny 1111.2222.3333 0000.0000.0000
access-list 700 permit 0000.0000.0000 ffff.ffff.ffff

May work. Give it a try.

 

[fenstrat]

It seems to have accepted all the inputs, but the mac is not being blocked yet. I'm wondering if it's allowing it through because the first couple groups of acl's allow the traffic before it even gets to acl 700. Any suggestions:

charybdis#show running-config
Building configuration...

Current configuration : 4020 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname charybdis
!
logging buffered 4096 informational
enable secret 5 $1$bfl6$XECEiW1i9F0IBSoSdXuee1
!
ip subnet-zero
!
!
!
!
bridge irb
!
!
interface FastEthernet0/0
description External Network
ip address 10.10.1.4 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
description Student Network
ip address 172.25.98.1 255.255.255.252 secondary
ip address 172.25.10.1 255.255.0.0
ip access-group 100 in
ip policy route-map VPN
duplex auto
speed auto
bridge-group 1
bridge-group 1 input-address-list 700
bridge-group 1 spanning-disabled
!
interface BVI1
description **IP interface tied to Ethernet 0/1** IP Address 1.1.1.1 255.255.25
5.0
no ip address
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.10.1.2
ip route 172.16.0.0 255.255.0.0 10.10.1.3
ip route 172.20.0.0 255.255.0.0 10.10.1.2
ip route 172.22.0.0 255.255.0.0 10.10.1.1
ip route 172.24.0.0 255.255.0.0 10.10.1.1
ip route 192.168.5.2 255.255.255.255 10.10.1.1
ip route 199.89.180.2 255.255.255.255 10.10.1.1
ip http server
ip pim bidir-enable
!
logging trap debugging
logging facility local0
logging 10.10.1.6
access-list 1 permit 172.25.10.13
access-list 1 permit 172.25.10.12
access-list 1 permit 172.25.10.10
access-list 1 permit 172.25.100.1
access-list 2 permit 172.25.98.0 0.0.0.255
access-list 2 permit 172.25.99.0 0.0.0.255
access-list 2 permit 172.25.97.0 0.0.0.255
access-list 100 deny ip host 172.25.10.12 172.17.0.0 0.0.255.255
access-list 100 deny ip host 172.25.10.12 172.16.0.0 0.0.255.255
access-list 100 deny ip 172.25.99.0 0.0.0.255 172.17.0.0 0.0.255.255
access-list 100 deny ip 172.25.99.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 100 deny ip 172.25.98.0 0.0.0.255 172.17.0.0 0.0.255.255
access-list 100 deny ip 172.25.98.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 100 deny ip 172.25.97.0 0.0.0.255 172.17.0.0 0.0.255.255
access-list 100 deny ip 172.25.97.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 100 deny ip 172.25.104.0 0.0.0.255 172.17.0.0 0.0.255.255
access-list 100 deny ip 172.25.104.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 100 deny ip host 172.25.10.13 172.17.0.0 0.0.255.255
access-list 100 deny ip host 172.25.10.13 172.16.0.0 0.0.255.255
access-list 100 permit ip host 172.25.10.10 172.17.0.0 0.0.255.255
access-list 100 permit ip host 172.25.10.10 172.16.0.0 0.0.255.255
access-list 100 permit ip host 172.25.10.10 172.24.0.0 0.0.255.255
access-list 100 permit ip host 172.25.10.10 any
access-list 100 permit ip host 172.25.100.1 any
access-list 100 permit ip 172.25.99.0 0.0.0.255 any
access-list 100 permit ip 172.25.98.0 0.0.0.255 any
access-list 100 permit ip 172.25.97.0 0.0.0.255 any
access-list 100 permit ip host 172.25.10.12 any
access-list 100 permit ip host 172.25.10.13 any
access-list 100 permit ip 172.25.104.0 0.0.0.255 any
access-list 700 deny 0010.c632.35ca 0000.0000.0000
access-list 700 permit 0000.0000.0000 ffff.ffff.ffff
route-map VPN permit 10
match ip address 1
set ip default next-hop 10.10.1.1
!
route-map VPN permit 20
match ip address 2
set ip default next-hop 10.10.1.2
!
snmp-server community
snmp-server community
snmp-server location Data Center A

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps isdn call-information
snmp-server enable traps isdn layer2
snmp-server enable traps isdn chan-not-avail
snmp-server enable traps hsrp
snmp-server enable traps config
snmp-server enable traps entity
snmp-server enable traps envmon
snmp-server enable traps bgp
snmp-server enable traps ipmulticast
snmp-server enable traps msdp
snmp-server enable traps rsvp
snmp-server enable traps frame-relay
snmp-server enable traps rtr
snmp-server enable traps syslog

!
line con 0

login
line aux 0
line vty 0 4

login
!
end

 

[Parcival21]

Hi there,
if there is an attacker out there attacking your network, simply blocking his MAC won't probably save you for long. THe attacker will simply change its Mac address and start attacking again.
Instead of trying to prevent this MAC adress to reach you, you could also use the feature port security on your switches or you could even use a security strategie including 802.1x to prevent physical access to your network. Problem will always be if implementing such a strategie will be worth its effort.
Bye,
busche

 

[fenstrat]

Assuming this is his real mac address blocking the mac at the router should stop him until he changes his mac. If I understand cisco port security it dynamically registers a mac to the port, if the mac address changes it blocks the port. Is this correct, if so how does this interfere on a student network where new students arrive each spring and fall? If he is using his real mac address then implementing port security alone probably will not stop him. We do not have the resources to manually allow mac addresses through individual ports for 800 students.

thanks

 

[Raticus]

This is a layer 2 problem which shoulg be handled at the switch level an not at the router. 802.1X with EAP would do the trick.

 

[chieftan999]

The "permit" statement was used to show how to use PERMIT as well as "DENY".

Remove the "permit" statement and try again.

 

[darkseid]

hello,

jumping in the discussion lately. but, this might not work as Windows based machines modify their MAC addresses

e.g.

Real MAC : 0050.048c.3726
Windows MAC : 0100.5004.8c37.26

Second MAC is as seen from router when using DHCP pool statement !.

darkseid,