Solved: Re: Blocking MACs from VLAN access

jbarnes · ‎12-12-2011

We have a group of computers on their own VLAN. A router allows internet access while keeping them sandboxed. We don't want them accidentally connect to our production network. We blocked their wireless MACs in unauthorized WAPs. I'd like to do the same thing for their ethernet MACs on our switches, (a mixture of 2950,2960 and 2960G currently testing on C2960-LANBASE-M, Version 12.2(25)SEE2). I've been unable to locate the correct method on google, by searching these boards or in the command reference.

I can create an ACL:

mac access-list extended MACBlackList

deny host aaaa.bbbb.cccc any

permit any any

But when I applied it to an interface, it did not perform as expected, allowing everything through still:

interface FastEthernet0/1

mac access-group MACBlackList in

And these commands are not supported for the VLAN interface. Instead, I considered making a policy map, but once again the VLAN interface doesn't support policy maps, and the switch want's a numbered ACL, not a named MAC ACL:

class-map BlockedMACsClass

match access-group MACBlackList

policy-map BlockedMACsPolicy

class BlockedMACsClass

interface vlan 1

service-policy input BlockedMACsPolicy

So the big question is: What is the best practice for blocking a group of MACs from accessing a particular VLAN on a network consisting of several Layer 2 Switches? Thanks in advance for any advice you can give.

-Jonathan

cadet alain · ‎12-12-2011

Hi,

this is not working because a MAC ACL applied on a L2 port will only be effective for non IP traffic.

one way could be to black-hole traffic to/from this MAC addresses like this:

mac address-table static xxxx.xxxx.xxxx vlan x drop

Regards.

Alain

Don't forget to rate helpful posts.

View solution in original post

cadet alain · ‎12-14-2011

Hi,

according to configuration guide of 12.1(22)EA7 this is supported.

But you can map to an unused interface like you proposed and it will have the same effect which is blackholing trafffic from/to this MAC address.

Regards.

Alain

Don't forget to rate helpful posts.

View solution in original post

cadet alain · ‎12-12-2011

Hi,

this is not working because a MAC ACL applied on a L2 port will only be effective for non IP traffic.

one way could be to black-hole traffic to/from this MAC addresses like this:

mac address-table static xxxx.xxxx.xxxx vlan x drop

Regards.

Alain

Don't forget to rate helpful posts.

jbarnes · ‎12-14-2011

That definitely works for the 2960 Switches. I've already implemented it as a partial solution. Thanks for your help, alain. The 2950's are exhibiting odd behaviour, however. According to the command reference, it's been supported since release 12.1(19)EA1:

http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_22ea/CR/cli1.html#wp4344743

The 2950s are running Version 12.1(22)EA6. I assume it to be a later revision and should include the features of 12.1(19)EA1. Still, when entering the command:

mac address-table static 1234.5678.90ab vlan 1 drop

I am told "% Invalid input detected at...[drop]." It only accepts a command formatted like this:

mac address-table static 1234.5678.90ab vlan 1 interface fa0/1

Which I assume will forward traffic with the specified MAC towards the specified interface. I wondered if there was a null interface I could forward to to simulate the action of a drop. Only fastethernet and port channel interfaces are allowed, so could I create a port channel, not assign it to any interfaces, and forward traffic to drop to port channel 6?

interface port-channel 6

no shut

exit

mac address-table static 1234.5678.90ab vlan 1 interface port-channel6

Or is this most likely caused by the IOS version not supporting DROP and I should upgrade to 12.1(22)EA14? Thanks for everyone's help so far!

cadet alain · ‎12-14-2011

Hi,

according to configuration guide of 12.1(22)EA7 this is supported.

But you can map to an unused interface like you proposed and it will have the same effect which is blackholing trafffic from/to this MAC address.

Regards.

Alain

Don't forget to rate helpful posts.

jbarnes · ‎12-14-2011

I tested the custom bit bucket method of sending it to a port group with no interfaces assigned. Worked out great. Thanks!

Also: one of the 2950's ran Version 12.1(9)EA1. Modifying the command with a dash as follows seems to work in the same manner.

mac-address-table static 1234.5678.90ab vlan 1 interface port-channel6

benolyndav · ‎09-13-2018

Hi

Is it possible to block some ip phones by mac address from leaving a switch and allow others in the same vlan to go to any any.???

benolyndav · ‎09-04-2018

HI

i have a similar issue, i want to allow only certain mac addresses from Voice Vlan going any where using acl and drop the mac addresses that are n ot defined in the acl, ive tried mac acl with vlan access map and vlan filter list but it just didnt work.????????