cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2064
Views
3
Helpful
12
Replies

How to Block or Allow Several MAC Addresses on All My Cisco Switches

criscabellos
Level 1
Level 1

Hello.

I have about ten Cisco switches in my company.

I'd like a way to easily apply and centrally manage rules to only allow specific MAC addresses to access any of the ports for any of the VLANs on any of my Cisco switches.

I have the list of all MAC addresses of all my devices that I need and want to be allowed.

The goal is that if anyone trying to plug any unknown device on my network, the device gets blocked directly by the switch.

1 Accepted Solution

Accepted Solutions

Yes, ISE is a radius and tacacs server and it is expensive. But, if you have time to study a little bit, an old PC out there can run a linux operation system and you can install freeRadius for free and achieve the same result. 

Any other static solution like ACL or rules applied on the device will always be waist of time. New vendors always popping up, new mac address range can be created and the nightmary never ends. Completely not scalable  and the attacker needs to find  just one valid mac address to break in your network. 

With a Radius server you can achieve a decent level of protection with MAB and dot1x. 

 If you try to block mac address on the switch, you will be doing the same thing this gentleman is doing on this funny video. 

https://twitter.com/qqrmeme/status/1469714838309978113 

View solution in original post

12 Replies 12

Hi

 

Try this.

Router# configure terminal
Router(config)# mac address-table static 0050.3e8d.6400 vlan 12 drop

 

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-0SY/configuration/guide/15_0_sy_swcg/mac_traffic_blocking.pdf 

Thanks for your reply Flavio.

I've seen that command on another post, but if I understood correctly, it only blocks one MAC address at a time, for one VLAN and for only one switch.

I'd like a way to easily apply the mentioned command for several MAC addresses, on several switches and for all VLANs.

I mean, instead of blocking one MAC address at time on each VLAN for each switch, one by one, I'd like to do it in a bulk.

Also, this is for blocking, which would be fine for now for cases where we know the device we'd want to block, but my goal is actually to have everything blocked by default and only allow specific MAC addresses (my known devices), so that anything that is unknown by us gets automatically blocked by the switch.

Use vlan access-map with match mac list.

Now for mac you can use vendor mac adress in mac access list'

For example cisco start with 00c0.xxxx.xxxx so you can 0c00 in mac acl.

Thanks @MHM Cisco World.

I'll have to look and study on this.

Hi

 Well, in that case I believe you need a more complex solution.  You can take a look in radius solutions. It i not necessary needs to be Cisco but Cisco have ISE for that purpose. 

 I dont believe you can achieve what you want only with the switch config.

Thanks @Flavio Miranda.

I thought there would not be an easy way, because I couldn't find anything on the web.

I thought that this kind of security would be implemented within the switches, but I guess I was wrong.

As for the Radius, I can't use that on my network because the main company doesn't allow me to deal with it.

As for ISE, I haven't looked deeply into it, but from the little that I saw, it will probably be something my management will not approve due to high costs involved. 🤦🏻‍

But thanks for your suggestions!

Yes, ISE is a radius and tacacs server and it is expensive. But, if you have time to study a little bit, an old PC out there can run a linux operation system and you can install freeRadius for free and achieve the same result. 

Any other static solution like ACL or rules applied on the device will always be waist of time. New vendors always popping up, new mac address range can be created and the nightmary never ends. Completely not scalable  and the attacker needs to find  just one valid mac address to break in your network. 

With a Radius server you can achieve a decent level of protection with MAB and dot1x. 

 If you try to block mac address on the switch, you will be doing the same thing this gentleman is doing on this funny video. 

https://twitter.com/qqrmeme/status/1469714838309978113 

Thanks a lot @Flavio Miranda.

I don't have the time right now, but will certainly look into studying about this.

Hope that this works for me.

other solution waist of time, that not right many use mac ACL and it work for network with low budget. 
the hacker if know the Mac address he can also Easly know the username/password

@criscabellos try mac acl and check result.   

Thanks @MHM Cisco World !

I'll have a look at this as well.

Leo Laohoo
Hall of Fame
Hall of Fame

Disable all un-used ports or put all un-used ports in VLAN 1.  

Thanks for your reply @leo.

Unfortunately that won't work for me.

First because there are no unused ports.

Second because even for those used ports, unfortunately I have some users that tend to bring their own devices or visitors without notifying anyone at the company before plugging their device into our ports, and remove whatever is currently connected to connect their own device. 

Our company has a policy of not allowing any unknown device to be used within our network, but even so, the company is not allowed to looked into everyone's personal bag. Also, with hundreds of employees, this would make an impracticable approach.

I need a logical way to deal with this, but also a way that is not expensive and that is practical in management throughout all my network devices (centralized).

I've tried blocking via DHCP and that works great for most cases, but I need something for all cases, because if someone knows our network settings, they are able to set their device with manual configuration. I have also a VLAN segmentation which also reduces risks, but it is not a 100% solution.

My thoughts were to block everything at the switch level and only allow my known devices list.

Since unfortunately Cisco switches don't have that security feature as easily manageable as I'd like it to be, as mentioned earlier, I'm looking for alternative solutions now.

I've looked into Cisco ISE as mentioned by Flavio Miranda, but although that might work for me, it is very expensive and I already know my company will not approve to get that solution.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: