04-15-2009 11:38 AM - edited 03-06-2019 05:11 AM
Hello,
I have a troublesome computer that someone brings in every night and surfs the Internet, when they should not be. I would like to block their mac address not on just the port, because they can plug in somewhere else in the building. I would like to block it on the uplink. Their is only one data VLAN feeding this switch (and one voice vlan).
Switch is a 3560
Thanks
Gene
04-15-2009 11:57 AM
Gene,
Do you want to block them by using mac-addesses?
You can use VLAN-ACL as well.You can try the following commands.
Switch(config)#mac access-list extended USER_A_B
Switch(config-ext-nacl)#permit host
Switch(config-ext-nacl)#permit host
Switch(config)#vlan access-map BLOCK_USER_A_B 10
Switch(config-access-map)#action drop
Switch(config-access-map)#match mac address USER_A
Switch(config)#vlan access-map BLOCK_USER_A_B 20
Switch(config-access-map)#action forward
Switch(config)#vlan filter BLOCK_USER_A_B vlan-list
Don't tell users that there are many tools out there can change a mac-address on the NIC.
HTH,
Toshi
04-15-2009 12:22 PM
Sorry My typo
Switch(config)#mac access-list extended USER_A_B
Switch(config-ext-nacl)#permit host
Switch(config-ext-nacl)#permit host
Switch(config)#vlan access-map BLOCK_USER_A_B 10
Switch(config-access-map)#action drop
Switch(config-access-map)#match mac address USER_A_B
Switch(config)#vlan access-map BLOCK_USER_A_B 20
Switch(config-access-map)#action forward
Switch(config)#vlan filter BLOCK_USER_A_B vlan-list
Toshi
04-15-2009 02:37 PM
Nice Toshi.
04-15-2009 02:43 PM
Leo,
Thank you.
Toshi
04-15-2009 03:01 PM
Toshi, I configured the switch according to your post and thats great. But where does the blocking occur?
04-15-2009 03:07 PM
Victor,
Did it work?
HostA and HostB will be dropped due to we configured.
Switch(config)#vlan access-map BLOCK_USER_A_B 10
Switch(config-access-map)#action drop
Switch(config-access-map)#match mac address USER_A_B
Other hosts will be forwarded.
Switch(config)#vlan access-map BLOCK_USER_A_B 20
Switch(config-access-map)#action forward
Toshi
04-15-2009 03:33 PM
Hi:
No, it didnt work, which is why i asked you where it is supposed to block.
Here are the configs on my access switch.
mac access-list extended USER1
deny host 0014.22cc.23e8 any
permit any any
!
!
!
!
vlan access-map BLOCK_USER1 10
action drop
match mac address USER1
vlan access-map BLOCK_USER1 20
action forward
vlan filter BLOCK_USER1 vlan-list 14
!
vlan 14
name VLAN14
!
I am on vlan 14, using a latptop plugged into that switch.
I am able to ping the L3 SVI for vlan 14. i can PING the switchs loopback interface. I can PING a connected routers loopback interface, etc...
Whats the deal...? :-(
04-15-2009 03:38 PM
Victor,
That wasn't my configuration. (grin).Please change this.
!
mac access-list extended USER1
permit host 0014.22cc.23e8 any
!
You should permit him/her in ACL. Afer that dropping him/her in ACTION.
Toshi
04-15-2009 04:00 PM
Technically this isnt blocking the MAC address. It essencially blocks ARP traffic from that mac address, there for IP traffic sort of doesnt work. But it will do the job. You can also give that mac address a DHCP reservation then block that IP Address with an ACL
04-15-2009 04:02 PM
Michael,
You're right. That's why we can do this way.
In case we did a static arp on host/pc itself. it won't work anyway.
5P! for clarifying
Toshi
04-15-2009 04:58 PM
Toshi:
Still doesnt work.
I fixed the mistake you caught.
Here is the configL
mac access-list extended USER1
permit host 0014.22cc.23e8 any
!
!
!
!
vlan access-map BLOCK_USER1 10
action drop
match mac address USER1
vlan access-map BLOCK_USER1 20
action forward
vlan filter BLOCK_USER1 vlan-list 14
!
vlan 14
name VLAN14
!
its not blockign anything...I can PING the whole world...
04-15-2009 05:10 PM
I just figured it out...
you have to clear the arp cache after you install the filter....
Then it will block...
Victor
04-15-2009 05:16 PM
Thank you for all your posts. Wouldn't this command work too??
mac-address-table static xxx.xxx.xxx vlan # drop
Thanks
Gene
04-15-2009 05:33 PM
Victor,
I'm at my customer site right now.
Thanks for labbing it up.
5P! for you I like using the rating system heheh..
Toshi
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: