Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
738
Views
0
Helpful
5
Replies

Blocking users using mac address

prince.ibe
Level 1
Level 1

‎10-26-2009 06:59 AM - edited ‎03-11-2019 09:31 AM

I have some users on our corporate network who I need to block from the network using mac address. I can't do this via dhcp because the users are using static IPs which they keep changing once it is blocked on the PIX 515E using the shun command.

How can I block access to these users on the PIX. The PIX is the default gateway.

Labels:
0 Helpful
5 Replies 5

andrew.prince
Level 10
Level 10

‎10-26-2009 08:34 AM

You cannot block by mac-address on the PIX.

HTH>

0 Helpful

Kureli Sankar
Cisco Employee
Cisco Employee
In response to andrew.prince

‎10-26-2009 08:58 AM

Andrew is right. You cannot block based on the mac-address on the PIX but, you can see if you can do this on the switch side using mac access-list

http://www.cisco.com/en/US/products/hw/switches/ps646/products_configuration_example09186a0080470c39.shtml

0 Helpful

andrew.prince
Level 10
Level 10
In response to Kureli Sankar

‎10-26-2009 09:09 AM

You could also consider configuring your switch to0 use VMPS, depends on your switch platform.

If you do implement VMPS - you can create a specific VLAN for these users, then either block by IP address or route them into a black hole for non lAN traffic.

0 Helpful

prince.ibe
Level 1
Level 1
In response to andrew.prince

‎10-26-2009 12:41 PM

I have a slightly complex situation at the moment which I hope to solve in the near future.

I inherited a flat network. No VLANs. No DMZ. In fact, the PIX acts as the LAN gateway with only 2 ports - one inside the other outside to a router which connects to the internet via vsat modem.

I hope to implement some control soonest using websence but before then, I am up to my chin troubled about this particular user that frequently changes his static IP and throttles the network badly.

What other method can I readily deploy to cut him permanently off the network? ...

0 Helpful

andrew.prince
Level 10
Level 10
In response to prince.ibe

‎10-26-2009 12:47 PM

you can use private vlans - see the below url for config examples:-

http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a008013565f.shtml

Put this guy's switch port in a seperate VLAN and control him this way.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card