cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7168
Views
25
Helpful
14
Replies

Blocking MAC address on a Switch

uhl_frederick
Level 1
Level 1

Hello,

I have a troublesome computer that someone brings in every night and surfs the Internet, when they should not be. I would like to block their mac address not on just the port, because they can plug in somewhere else in the building. I would like to block it on the uplink. Their is only one data VLAN feeding this switch (and one voice vlan).

Switch is a 3560

Thanks

Gene

14 Replies 14

Gene,

Do you want to block them by using mac-addesses?

You can use VLAN-ACL as well.You can try the following commands.

Switch(config)#mac access-list extended USER_A_B

Switch(config-ext-nacl)#permit host any

Switch(config-ext-nacl)#permit host any

Switch(config)#vlan access-map BLOCK_USER_A_B 10

Switch(config-access-map)#action drop

Switch(config-access-map)#match mac address USER_A

Switch(config)#vlan access-map BLOCK_USER_A_B 20

Switch(config-access-map)#action forward

Switch(config)#vlan filter BLOCK_USER_A_B vlan-list

Don't tell users that there are many tools out there can change a mac-address on the NIC.

HTH,

Toshi

Sorry My typo

Switch(config)#mac access-list extended USER_A_B

Switch(config-ext-nacl)#permit host any

Switch(config-ext-nacl)#permit host any

Switch(config)#vlan access-map BLOCK_USER_A_B 10

Switch(config-access-map)#action drop

Switch(config-access-map)#match mac address USER_A_B

Switch(config)#vlan access-map BLOCK_USER_A_B 20

Switch(config-access-map)#action forward

Switch(config)#vlan filter BLOCK_USER_A_B vlan-list

Toshi

Nice Toshi.

Leo,

Thank you.

Toshi

Toshi, I configured the switch according to your post and thats great. But where does the blocking occur?

Victor,

Did it work?

HostA and HostB will be dropped due to we configured.

Switch(config)#vlan access-map BLOCK_USER_A_B 10

Switch(config-access-map)#action drop

Switch(config-access-map)#match mac address USER_A_B

Other hosts will be forwarded.

Switch(config)#vlan access-map BLOCK_USER_A_B 20

Switch(config-access-map)#action forward

Toshi

Hi:

No, it didnt work, which is why i asked you where it is supposed to block.

Here are the configs on my access switch.

mac access-list extended USER1

deny host 0014.22cc.23e8 any

permit any any

!

!

!

!

vlan access-map BLOCK_USER1 10

action drop

match mac address USER1

vlan access-map BLOCK_USER1 20

action forward

vlan filter BLOCK_USER1 vlan-list 14

!

vlan 14

name VLAN14

!

I am on vlan 14, using a latptop plugged into that switch.

I am able to ping the L3 SVI for vlan 14. i can PING the switchs loopback interface. I can PING a connected routers loopback interface, etc...

Whats the deal...? :-(

Victor,

That wasn't my configuration. (grin).Please change this.

!

mac access-list extended USER1

permit host 0014.22cc.23e8 any

!

You should permit him/her in ACL. Afer that dropping him/her in ACTION.

Toshi

Technically this isnt blocking the MAC address. It essencially blocks ARP traffic from that mac address, there for IP traffic sort of doesnt work. But it will do the job. You can also give that mac address a DHCP reservation then block that IP Address with an ACL

Michael,

You're right. That's why we can do this way.

In case we did a static arp on host/pc itself. it won't work anyway.

5P! for clarifying

Toshi

Toshi:

Still doesnt work.

I fixed the mistake you caught.

Here is the configL

mac access-list extended USER1

permit host 0014.22cc.23e8 any

!

!

!

!

vlan access-map BLOCK_USER1 10

action drop

match mac address USER1

vlan access-map BLOCK_USER1 20

action forward

vlan filter BLOCK_USER1 vlan-list 14

!

vlan 14

name VLAN14

!

its not blockign anything...I can PING the whole world...

I just figured it out...

you have to clear the arp cache after you install the filter....

Then it will block...

Victor

Thank you for all your posts. Wouldn't this command work too??

mac-address-table static xxx.xxx.xxx vlan # drop

Thanks

Gene

Victor,

I'm at my customer site right now.

Thanks for labbing it up.

5P! for you I like using the rating system heheh..

Toshi

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco