https://community.cisco.com/t5/network-security/blocking-users-using-mac-address/m-p/1302593#M792210 <P>I have some users on our corporate network who I need to block from the network using mac address. I can't do this via dhcp because the users are using static IPs which they keep changing once it is blocked on the PIX 515E using the shun command.</P><P>How can I block access to these users on the PIX. The PIX is the default gateway.</P> Mon, 11 Mar 2019 16:31:19 GMT prince.ibe 2019-03-11T16:31:19Z https://community.cisco.com/t5/network-security/blocking-users-using-mac-address/m-p/1302593#M792210 <P>I have some users on our corporate network who I need to block from the network using mac address. I can't do this via dhcp because the users are using static IPs which they keep changing once it is blocked on the PIX 515E using the shun command.</P><P>How can I block access to these users on the PIX. The PIX is the default gateway.</P> Mon, 11 Mar 2019 16:31:19 GMT https://community.cisco.com/t5/network-security/blocking-users-using-mac-address/m-p/1302593#M792210 prince.ibe 2019-03-11T16:31:19Z https://community.cisco.com/t5/network-security/blocking-users-using-mac-address/m-p/1302594#M792211 <HTML><HEAD></HEAD><BODY><P>You cannot block by mac-address on the PIX.</P><P></P><P>HTH&gt;</P></BODY></HTML> Mon, 26 Oct 2009 15:34:18 GMT https://community.cisco.com/t5/network-security/blocking-users-using-mac-address/m-p/1302594#M792211 andrew.prince 2009-10-26T15:34:18Z https://community.cisco.com/t5/network-security/blocking-users-using-mac-address/m-p/1302595#M792212 <HTML><HEAD></HEAD><BODY><P>Andrew is right. You cannot block based on the mac-address on the PIX but, you can see if you can do this on the switch side using mac access-list</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/products/hw/switches/ps646/products_configuration_example09186a0080470c39.shtml" target="_blank">http://www.cisco.com/en/US/products/hw/switches/ps646/products_configuration_example09186a0080470c39.shtml</A></P></BODY></HTML> Mon, 26 Oct 2009 15:58:22 GMT https://community.cisco.com/t5/network-security/blocking-users-using-mac-address/m-p/1302595#M792212 Kureli Sankar 2009-10-26T15:58:22Z https://community.cisco.com/t5/network-security/blocking-users-using-mac-address/m-p/1302596#M792213 <HTML><HEAD></HEAD><BODY><P>You could also consider configuring your switch to0 use VMPS, depends on your switch platform.</P><P></P><P>If you do implement VMPS - you can create a specific VLAN for these users, then either block by IP address or route them into a black hole for non lAN traffic.</P></BODY></HTML> Mon, 26 Oct 2009 16:09:30 GMT https://community.cisco.com/t5/network-security/blocking-users-using-mac-address/m-p/1302596#M792213 andrew.prince 2009-10-26T16:09:30Z https://community.cisco.com/t5/network-security/blocking-users-using-mac-address/m-p/1302597#M792214 <HTML><HEAD></HEAD><BODY><P>I have a slightly complex situation at the moment which I hope to solve in the near future.</P><P>I inherited a flat network. No VLANs. No DMZ. In fact, the PIX acts as the LAN gateway with only 2 ports - one inside the other outside to a router which connects to the internet via vsat modem.</P><P>I hope to implement some control soonest using websence but before then, I am up to my chin troubled about this particular user that frequently changes his static IP and throttles the network badly.</P><P>What other method can I readily deploy to cut him permanently off the network? ...</P></BODY></HTML> Mon, 26 Oct 2009 19:41:35 GMT https://community.cisco.com/t5/network-security/blocking-users-using-mac-address/m-p/1302597#M792214 prince.ibe 2009-10-26T19:41:35Z https://community.cisco.com/t5/network-security/blocking-users-using-mac-address/m-p/1302598#M792215 <HTML><HEAD></HEAD><BODY><P>you can use private vlans - see the below url for config examples:-</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a008013565f.shtml" target="_blank">http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a008013565f.shtml</A></P><P></P><P>Put this guy's switch port in a seperate VLAN and control him this way.</P></BODY></HTML> Mon, 26 Oct 2009 19:47:28 GMT https://community.cisco.com/t5/network-security/blocking-users-using-mac-address/m-p/1302598#M792215 andrew.prince 2009-10-26T19:47:28Z