12-12-2011 11:20 AM - edited 03-07-2019 03:51 AM
We have a group of computers on their own VLAN. A router allows internet access while keeping them sandboxed. We don't want them accidentally connect to our production network. We blocked their wireless MACs in unauthorized WAPs. I'd like to do the same thing for their ethernet MACs on our switches, (a mixture of 2950,2960 and 2960G currently testing on C2960-LANBASE-M, Version 12.2(25)SEE2). I've been unable to locate the correct method on google, by searching these boards or in the command reference.
I can create an ACL:
mac access-list extended MACBlackList
deny host aaaa.bbbb.cccc any
permit any any
But when I applied it to an interface, it did not perform as expected, allowing everything through still:
interface FastEthernet0/1
mac access-group MACBlackList in
And these commands are not supported for the VLAN interface. Instead, I considered making a policy map, but once again the VLAN interface doesn't support policy maps, and the switch want's a numbered ACL, not a named MAC ACL:
class-map BlockedMACsClass
match access-group MACBlackList
policy-map BlockedMACsPolicy
class BlockedMACsClass
interface vlan 1
service-policy input BlockedMACsPolicy
So the big question is: What is the best practice for blocking a group of MACs from accessing a particular VLAN on a network consisting of several Layer 2 Switches? Thanks in advance for any advice you can give.
-Jonathan
Solved! Go to Solution.
12-12-2011 12:06 PM
Hi,
this is not working because a MAC ACL applied on a L2 port will only be effective for non IP traffic.
one way could be to black-hole traffic to/from this MAC addresses like this:
mac address-table static xxxx.xxxx.xxxx vlan x drop
Regards.
Alain
12-14-2011 11:46 AM
Hi,
according to configuration guide of 12.1(22)EA7 this is supported.
But you can map to an unused interface like you proposed and it will have the same effect which is blackholing trafffic from/to this MAC address.
Regards.
Alain
12-12-2011 12:06 PM
Hi,
this is not working because a MAC ACL applied on a L2 port will only be effective for non IP traffic.
one way could be to black-hole traffic to/from this MAC addresses like this:
mac address-table static xxxx.xxxx.xxxx vlan x drop
Regards.
Alain
12-14-2011 09:30 AM
That definitely works for the 2960 Switches. I've already implemented it as a partial solution. Thanks for your help, alain. The 2950's are exhibiting odd behaviour, however. According to the command reference, it's been supported since release 12.1(19)EA1:
The 2950s are running Version 12.1(22)EA6. I assume it to be a later revision and should include the features of 12.1(19)EA1. Still, when entering the command:
mac address-table static 1234.5678.90ab vlan 1 drop
I am told "% Invalid input detected at...[drop]." It only accepts a command formatted like this:
mac address-table static 1234.5678.90ab vlan 1 interface fa0/1
Which I assume will forward traffic with the specified MAC towards the specified interface. I wondered if there was a null interface I could forward to to simulate the action of a drop. Only fastethernet and port channel interfaces are allowed, so could I create a port channel, not assign it to any interfaces, and forward traffic to drop to port channel 6?
interface port-channel 6
no shut
exit
mac address-table static 1234.5678.90ab vlan 1 interface port-channel6
Or is this most likely caused by the IOS version not supporting DROP and I should upgrade to 12.1(22)EA14? Thanks for everyone's help so far!
12-14-2011 11:46 AM
Hi,
according to configuration guide of 12.1(22)EA7 this is supported.
But you can map to an unused interface like you proposed and it will have the same effect which is blackholing trafffic from/to this MAC address.
Regards.
Alain
12-14-2011 01:12 PM
I tested the custom bit bucket method of sending it to a port group with no interfaces assigned. Worked out great. Thanks!
Also: one of the 2950's ran Version 12.1(9)EA1. Modifying the command with a dash as follows seems to work in the same manner.
mac-address-table static 1234.5678.90ab vlan 1 interface port-channel6
09-13-2018 01:59 PM
Hi
Is it possible to block some ip phones by mac address from leaving a switch and allow others in the same vlan to go to any any.???
09-04-2018 10:32 AM
HI
i have a similar issue, i want to allow only certain mac addresses from Voice Vlan going any where using acl and drop the mac addresses that are n ot defined in the acl, ive tried mac acl with vlan access map and vlan filter list but it just didnt work.????????
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide