MAC ACL / BLOCKING

Unanswered Question
Apr 3rd, 2008

Hi,
I wish Ironport will add to the WSA feature to allow MAC blocking .,,reason was if a client had no active directory..theyre purely on freeware like linux or so..


just suggesting :-)

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jowolfer Thu, 04/03/2008 - 17:00

I have filed the following enhancement to make sure this gets some official visibility:

40523 - Enhancement: Ability to create policies using MAC addresses as source triggers

Doc_ironport Thu, 04/03/2008 - 18:09

Unfortunately MAC blocking adds very little value in most environments.

By their nature, MAC addresses are only visible on a local subnet, and thus in order to do anything based on MAC address you would need all clients and the WSA itself to be physically located on the same network segment, which is going to be a very unusual setup in everything but the most small networks.

If you want to do any level of control by MAC address the best way is to use a DHCP server to do static MAC-IP address mappings, and then block the users on the IronPort using the IP address.

angfeglandagan Fri, 04/04/2008 - 06:06

In some unusual cases like a client doesnt have a static configuration environment...theyve got dhcp network type of setup and yes its very odd on this kind of client .

This is i guess a rare case where a client doesnt have an AD...where WSA can be configured to do LDAP authentication or SSO..

The reason why i posted this topic is to address some clients if they do need MAC blocking.

I recommended to the client to have an AD for the LDAP authentication or
create a pool for users with internet access and without internet so WSA can determine via its IP ranges from the dhcp pool that was created.

my 5 cents :-)

Doc_ironport Fri, 04/04/2008 - 16:56

In some unusual cases like a client doesnt have a static configuration environment...theyve got dhcp network type of setup and yes its very odd on this kind of client


But are all of the clients on the same physical network (ie, same single IP range) as the WSA? If they aren't, and they go through a router to get to the IronPort, then the IronPort will only see the MAC address of the router - not the client.

The concept of MAC addresses (for any purpose) only makes sense for systems on the same network segment (ie, same "collision domain") - beyond that MAC addresses are not used.

Actions

This Discussion