09-28-2016 01:38 AM - edited 03-08-2019 07:36 AM
We have an office with some staff bringing in home routers like Linksys, DLink, TP-Link, etc plugging in our network to have a wireless network in their mobile phones.
Sometimes hogs up our bandwidth and exceeds our limits. How do we block these devices via mac address. Our L2 switch is a 2960 Catalyst.
Thanks
Jeff
09-28-2016 02:08 AM
You can create mac based acl deny the suspected endpoint mac and allow rest
reference MAC ACL configuration is as below
http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus1000/sw/4_0/security/configuration/guide/n1000v_security/security_9mac_acls.html
09-28-2016 07:37 PM
@Pawan
I tried the command given in the article, just one quick question, in the command
{permit | deny} source destination protocol
if I will deny the AP/Router, what is the source here and what is the destination here? for the protocol, is it http/https?
Thanks
Jeff
09-28-2016 10:02 PM
I tried typing in this command,
deny <mac-address of the wirless AP/Router> 0000.00ff.ffff<mac address mask> any
it didn't work, so I went on to check possibly a faulty port of the device, I went on and instead denied the port of the source switch (Cisco) but it didn't worl either.
Thanks
Jeff
09-29-2016 03:42 AM
hi,
as mentioned above, you could leverage port security feature on your L2 switch.
switchport port-security
switchport port-security maximum x <<< x = MAXIMUM MAC ADDRESS
switchport port-security violation shutdown <<< DEFAULT IS SHUTDOWN
09-29-2016 07:03 AM
I don't see that working well. It will work if you unplug something and then plug a different device in. If there was nothing plugged in and you plug the router in, it is now the only mac, assuming the user plugs the wan port into your network. It will have 1 ip and 1 mac.Devices behind it will be nat'ed.
Define port security on all ports. After awhile make it sticky. This will add the learned macs to the running config. This won't work if your users move around with laptops and expect to plug in anywhere. Shutdown unused ports.
09-29-2016 06:42 PM
Just an update, I actually tried doing this:
mac access-list extended <ACL name>
deny any host <device mac address>
went to the interface and typed in
mac access-group <ACL name> in
But this stops any traffic or packets on the port, as in totally no traffic though physical connection lights are still flashing and lit up, there are no connections
I guess this doesn't solve my question since it stopped the whole traffic instead of just the external device (router/AP0.
As for the port security, I've read that and I might give it a try.
As for the IT policy, I guess you guys all know that usually or most of the time, if your boss is a Chinese National (not all but mostly a very old school Chinese) didn't implement any policies, so I guess it's up for us (TECH) to implement this. :)
Thanks for all the inputs, really appreciate the advices. As for the advice about ASA, I guess in my years of using a frewall like other brands, I've had a hard time with ASA, I do know it is one of a secured device but confugration wise eventhough I've used the asdm, still a little different from other firewall devices. I guess there's still a lot of learning to do with ASA.
Jeff
10-03-2016 09:48 AM
I could be wrong with mac acl's but most acls have an implicit deny at the end so you would need to add permit any at the end otherwise everything is blocked.
09-29-2016 03:56 AM
Port security is a far better solution, by doing what you are doesn't make any sense, as you are being reactive rather than proactive.
In the absence of NAC, it's a good solution, the downside is it can add an administrative overhead, especially in an environment where nodes move around frequently.
Re the question, you are blocking the AP MAC, not that of the associated clients.
Martin
09-28-2016 08:37 PM
BTW, I've noticed that whenever I entered confide mode and start typing
mac access-lists
before Im able to enter the name, I need to enter
mac access-lists extended (name)
is this ok or is there a difference, because I cant type in the ACL name without typing in the extended.
Thanks
Jeff
09-28-2016 04:35 AM
I would guess that this is not included within your IT policy stating what they are doing is prohibited? In addition to the issue you are having, there are also security issues.
Another method in addition is to utilize port-security.
Martin
09-29-2016 04:36 AM
Hi,
To be honest with you, get the Mac Address which is causing this problems, trace-it to the access port and block it and they will have to come to you eventually.
Command to be used on Layer for blocking MAC Addresses.
mac-address-table static 0000.0000.0000 vlan X drop
Or just get yourself an ASA and create your internet policies, that way you have full control of your network.
Recommendation create an IT policy for this before thing get out of hand.
Thanks
09-29-2016 07:04 AM
You need to implement something which is going to prevent users plugging in a home router/switch etc.
Denying by MAC may work but you need to know the MAC (s) first and you need to change the ACL's if they change the device. This approach will work but requires more work on your part.
Ideally your company needs to enforce rules, user education is the best way to go. In my company, if somebody did that, it would be a disciplinary offence.
The best way to block it is to use Port Security and restrict the MAC addresses.
Work out how many MAC addresses are needed per port, one if a single host or two if you have IP phones etc.
Then implement port security and limit the amount of addresses to 1 or 2.
You can even leverage the sticky option so it only allows the first MAC address (es) it sees.
Most switches/routers/ap's will have their own MAC address, combined with two attached hosts will be three which is more than the 1/2 you are allowing with port security.
Enforce the default shut down option and force the users to call when the ports err-disable.
Personally it would be a warning first, then disciplinary action for a second time....but thats just me :)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide