Banning a single Mac Address from a 1900 or 2900 Series Cisco Switch.

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

james23

Active Member
Nov 18, 2014
441
122
43
52
Hi,

My goal is to block all traffic or to shutdown a switch port (or otherwise block), if a specific mac-address is plugged into the switch.

(for background, my exact scenario is, at times a user will plug in a rogue dhcp server, at which point my router sends me an alert- i then remotely track down the specific switch port the user plugged the rogue dhcp server into and then shutdown that switch port, until i get a phone call ( "my internet/wall jack isnt working!" )- Id much rather be able to block the mac address of that rogue dhcp servers Ethernet port (usually the LAN port(s) on a wifi router), so that the user will hopefully try other Ethernet ports on their router (until they find the proper WAN/Internet port, which they should have been using all along) - or the user will try other non dhcp-server devices, both of which could avoid a phone call to network support, which is the result when their port is fully shutdown )



All of my research has lead me to examples or solutions on other models of Cisco switches with this command (this command, if it worked on my version/model, would accomplish my goal):

mac-address-table static C056.27C5.3E2A fastEthernet 0/22 vlan 1 drop
however on my switch when i try to get this command here are the results:

ARW_3548(config)#mac-address-table static 00e0.b8b8.1c61 ? <cr>
FastEthernet FastEthernet IEEE 802.3

ARW_3548(config)#mac-address-table static 00e0.b8b8.1c61 fastEthernet 0/22 ? <cr>
FastEthernet FastEthernet IEEE 802.3
vlan vlan name


ARW_3548(config)#mac-address-table static 00e0.b8b8.1c61 fastEthernet 0/22 vlan 2 ? <cr>

(hitting enter to execute the command will add an entry to my running-config, but it does not block the mac-address in any way)​



Static / dynamic or sticky port security, doesn't seem to address my specific issue either (my issue being knowing a mac-address that you want to block, ahead of time)



can anyone help with this or point me in the right direction? There just must be a way to block a Mac Address from even these earlier cisco 2924 swtiches. Thanks



Relevant Version info Output of # Sh Ver from my switch (i also have 1900 series switches in use):

IOS (tm) C2900XL Software (C2900XL-C3H2S-M), Version 12.0(5.2)XU, MAINTENANCE INTERIM SOFTWARE
System image file is "flash:c2900XL-c3h2s-mz-120.5.2-XU.bin"

cisco WS-C2924-XL
 

james23

Active Member
Nov 18, 2014
441
122
43
52
i think you have hit the nail on the head (these cisco SW im suing are just too old, they are some of the first 100 mbit Cisco SWs and soe are even 10 mbit still), + every other solution ive found to banning a mac address ( which should be somewhat common a goal) seems to be for a cisco SW one model / revision newer than what im dealing with... My CLI always is missing that one last part of the command that i need, so think its just too old a switch.

for anyone else looking to do this (and who has a newer cisco SW than 2924 or 2950s ) here is what i had in my notes from researching this prior to posting here:

from my notes:

Exact issue i'm having: http://arstechnica.com/civis/viewtopic.php?f=10&t=157395

Problem is: mac-address-table static 0000.0000.0000 vlan X drop does not work on my switches
This command below is what i wanted to try to do at rxxxxxxxx one night (and some forums posts said to do this):
mac-address-table static C056.27C5.3E2A fastEthernet 0/23 vlan 1 DROP

or they were doing this on a 3548 SW:
ARW_3548(config)#mac-address-table static 00e0.b8b8.1c61 Drop

but on my SW after the Mac address CLI auto-fill only allows me to set the fastEthernet port and the vLAN , but no DROP nor anything beyond that (ie its letting me set a static mac entry, which is not what i want to do, i want the DROP action -- thus my switch must not support this feature)

thanks
 
Last edited:

Terry Kennedy

Well-Known Member
Jun 25, 2015
1,140
594
113
New York City
www.glaver.org
Relevant Version info Output of # Sh Ver from my switch (i also have 1900 series switches in use):

IOS (tm) C2900XL Software (C2900XL-C3H2S-M), Version 12.0(5.2)XU, MAINTENANCE INTERIM SOFTWARE
System image file is "flash:c2900XL-c3h2s-mz-120.5.2-XU.bin"

cisco WS-C2924-XL
The 2900XL's have been completely obsolete for years now. I believe the last release was 12.0(5)WC17 from February 13, 2007 (any builds beyond that were one-offs for large customers with custom maintenance agreements). And that didn't run on some older 2900XL's. There were 3 versions of the 2900XL hardware, which can be distinguished by the color of the port number labels. I think the sequence (from oldest to newest) was no color (just molded-in numbers), white, and yellow. The older versions had very poor throughput and could not sustain an aggregate performance of even 200Mbit/sec. And that's with ASIC-based switching*.

I just took a look at that code, and all I can say is "yikes". It dates from the beginning of the "thousand kingdoms" IOS era, and it never got any fixes from either other platforms or newer IOS versions. I can see a couple system crashers in there, some of which don't even require command-line access to the switch (it can be crashed by network packets originated elsewhere).

* The processor on a 2900XL is a very low-end PowerPC and once it loads the code for the ASICs, it spends most of its time (30% to 50%) just fiddling the front panel LEDs. The only part of packet processing it gets involved with is some support for spanning tree. That's also why the port capabilities on this switch are so limited - the ports only support what the ASICs were designed to do, and the IOS image can't add support for things not already handled by the ASICs.