Solved: Re: block access based on Mac Address for all vlan

charlesyju · ‎05-14-2019

I want to block a MAC address on a switch no matter which vlan the MAC belongs to.

I saw similiar command as the following:

 mac address-table static 0050.3e8d.6400 vlan 12 drop

However it requires a vlan parameter. How do I specify all vlans?

Mark Malone · ‎05-14-2019

Yes we use ISE/NAC for that very good for that type of blocking at layer 2 if you have anything like that in play on the network , that command though should really have an all vlan option to drop it everywhere

View solution in original post

Mark Malone · ‎05-14-2019

what about a MACL instead

https://www.cisco.com/c/en/us/support/docs/switches/catalyst-4500-series-switches/200179-Use-MAC-ACL-for-Layer-2-Control-Frames-o.html

charlesyju · ‎05-14-2019

The document says that "MAC ACL can be used in order to filter non-IP traffic on a VLAN and on a physical Layer 2 (L2) port."

In my case, the traffic is ip traffic.

Mark Malone · ‎05-14-2019

theres no extension to that command so if you want it on every vlan it needs to be applied that way , could you not just shut down the suspect device take it off the network ?

charlesyju · ‎05-14-2019

In my case, there are maybe many MAC learnt from a switch port and I need to block certain MAC based on some other detection method. Anyway, good to get confirmation that vlan is required for the cli command. I will see what is the best automated way to get the vlan of a MAC learnt on a switch. Automating telnet to the switch and do a show mac address-table is one way, but it is not so friendly. If there is a mib table to get the vlan of the learnt MAC, that is better. But I guess there is no such mib table.

Mark Malone · ‎05-14-2019

Yes we use ISE/NAC for that very good for that type of blocking at layer 2 if you have anything like that in play on the network , that command though should really have an all vlan option to drop it everywhere