We have a group of computers on their own VLAN. A router allows internet access while keeping them sandboxed. We don't want them accidentally connect to our production network. We blocked their wireless MACs in unauthorized WAPs. I'd like to do the same thing for their ethernet MACs on our switches, (a mixture of 2950,2960 and 2960G currently testing on C2960-LANBASE-M, Version 12.2(25)SEE2). I've been unable to locate the correct method on google, by searching these boards or in the command reference.
I can create an ACL:
mac access-list extended MACBlackList
deny host aaaa.bbbb.cccc any
permit any any
But when I applied it to an interface, it did not perform as expected, allowing everything through still:
mac access-group MACBlackList in
And these commands are not supported for the VLAN interface. Instead, I considered making a policy map, but once again the VLAN interface doesn't support policy maps, and the switch want's a numbered ACL, not a named MAC ACL:
match access-group MACBlackList
interface vlan 1
service-policy input BlockedMACsPolicy
So the big question is: What is the best practice for blocking a group of MACs from accessing a particular VLAN on a network consisting of several Layer 2 Switches? Thanks in advance for any advice you can give.
That definitely works for the 2960 Switches. I've already implemented it as a partial solution. Thanks for your help, alain. The 2950's are exhibiting odd behaviour, however. According to the command reference, it's been supported since release 12.1(19)EA1:
The 2950s are running Version 12.1(22)EA6. I assume it to be a later revision and should include the features of 12.1(19)EA1. Still, when entering the command:
mac address-table static 1234.5678.90ab vlan 1 drop
I am told "% Invalid input detected at...[drop]." It only accepts a command formatted like this:
mac address-table static 1234.5678.90ab vlan 1 interface fa0/1
Which I assume will forward traffic with the specified MAC towards the specified interface. I wondered if there was a null interface I could forward to to simulate the action of a drop. Only fastethernet and port channel interfaces are allowed, so could I create a port channel, not assign it to any interfaces, and forward traffic to drop to port channel 6?
interface port-channel 6
mac address-table static 1234.5678.90ab vlan 1 interface port-channel6
Or is this most likely caused by the IOS version not supporting DROP and I should upgrade to 12.1(22)EA14? Thanks for everyone's help so far!
Question We run asr9001 with XR 6.1.3, and we have a very long delay to
login w/ SSH 1 or 2 to the device compare to IOS device. After
investigation, the there is 1s delay between the client KEXDH_INIT and
the server (XR) KEXDH_REPLY. After debug ssh serv...
Introduction The purpose of this document is to demonstrate the Open
Shortest Path First (OSPF) behavior when the V-bit (Virtual-link bit) is
present in a non-backbone area. The V-bit is signaled in Type-1 LSA only
if the router is the endpoint of one or ...
Hi, I am seeing quite a few issues with patch install and wanted to
share my experience and workaround to this. Login to admin via CLI, then
access root with the “shell” command Issue “df –h” and you’ll probably
see the following directory full or nearly ...