@Pawan

I tried the command given in the article, just one quick question, in the command

{permit | deny} source destination protocol

if I will deny the AP/Router, what is the source here and what is the destination here? for the protocol, is it http/https?

Thanks

Jeff

I tried typing in this command,

deny <mac-address of the wirless AP/Router> 0000.00ff.ffff<mac address mask> any

it didn't work, so I went on to check possibly a faulty port of the device, I went on and instead denied the port of the source switch (Cisco) but it didn't worl either.

Thanks

Jeff

hi,

as mentioned above, you could leverage port security feature on your L2 switch.

switchport port-security
switchport port-security maximum x    <<< x = MAXIMUM MAC ADDRESS
switchport port-security violation shutdown    <<< DEFAULT IS SHUTDOWN

I don't see that working well. It will work if you unplug something and then plug a different device in. If there was nothing plugged in and you plug the router in, it is now the only mac, assuming the user plugs the wan port into your network. It will have 1 ip and 1 mac.Devices behind it will be nat'ed.

Define port security on all ports. After awhile make it sticky. This will add the learned macs to the running config. This won't work if your users move around with laptops and expect to plug in anywhere. Shutdown unused ports.

Just an update, I actually tried doing this:

mac access-list extended <ACL name>

deny any host <device mac address>

went to the interface and typed in

mac access-group <ACL name> in

But this stops any traffic or packets on the port, as in totally no traffic though physical connection lights are still flashing and lit up, there are no connections

I guess this doesn't solve my question since it stopped the whole traffic instead of just the external device (router/AP0.

As for the port security, I've read that and I might give it a try.

As for the IT policy, I guess you guys all know that usually or most of the time, if your boss is a Chinese National (not all but mostly a very old school Chinese) didn't implement any policies, so I guess it's up for us (TECH) to implement this. :)

Thanks for all the inputs, really appreciate the advices. As for the advice about ASA, I guess in my years of using a frewall like other brands, I've had a hard time with ASA, I do know it is one of a secured device but confugration wise eventhough I've used the asdm, still a little different from other firewall devices. I guess there's still a lot of learning to do with ASA.

Jeff

I could be wrong with mac acl's but most acls have an implicit deny at the end so you would need to add permit any at the end otherwise everything is blocked.

Port security is a far better solution, by doing what you are doesn't make any sense, as you are being reactive rather than proactive.

In the absence of NAC, it's a good solution, the downside is it can add an administrative overhead, especially in an environment where nodes move around frequently.

Re the question, you are blocking the AP MAC, not that of the associated clients.

Martin

BTW, I've noticed that whenever I entered confide mode and start typing

mac access-lists

before Im able to enter the name, I need to enter

mac access-lists extended (name)

is this ok or is there a difference, because I cant type in the ACL name without typing in the extended.

Thanks

Jeff