Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Blocking MACs from VLAN access

We have a group of computers on their own VLAN.  A router allows internet access while keeping them sandboxed.  We don't want them accidentally connect to our production network.  We blocked their wireless MACs in unauthorized WAPs.  I'd like to do the same thing for their ethernet MACs on our switches, (a mixture of 2950,2960 and 2960G currently testing on C2960-LANBASE-M, Version 12.2(25)SEE2).  I've been unable to locate the correct method on google, by searching these boards or in the command reference.

I can create an ACL:

mac access-list extended MACBlackList

deny   host aaaa.bbbb.cccc any

permit any any

But when I applied it to an interface, it did not perform as expected, allowing everything through still:

interface FastEthernet0/1

mac access-group MACBlackList in

And these commands are not supported for the VLAN interface.  Instead, I considered making a policy map, but once again the VLAN interface doesn't support policy maps, and the switch want's a numbered ACL, not a named MAC ACL:

class-map BlockedMACsClass

match access-group MACBlackList

policy-map BlockedMACsPolicy

class BlockedMACsClass

interface vlan 1

service-policy input BlockedMACsPolicy

So the big question is: What is the best practice for blocking a group of MACs from accessing a particular VLAN on a network consisting of several Layer 2 Switches?  Thanks in advance for any advice you can give.

-Jonathan

2 ACCEPTED SOLUTIONS

Accepted Solutions
Purple

Blocking MACs from VLAN access

Hi,

this is not working because a MAC ACL  applied on a L2 port will only be effective for non IP traffic.

one way could be to black-hole traffic to/from this MAC addresses like this:

mac address-table static xxxx.xxxx.xxxx  vlan x drop

Regards.

Alain

Don't forget to rate helpful posts.
Purple

Blocking MACs from VLAN access

Hi,

according to configuration guide of 12.1(22)EA7 this is supported.

But you can map to an unused interface like you proposed and it will have the same effect which is blackholing trafffic from/to this MAC address.

Regards.

Alain

Don't forget to rate helpful posts.
4 REPLIES
Purple

Blocking MACs from VLAN access

Hi,

this is not working because a MAC ACL  applied on a L2 port will only be effective for non IP traffic.

one way could be to black-hole traffic to/from this MAC addresses like this:

mac address-table static xxxx.xxxx.xxxx  vlan x drop

Regards.

Alain

Don't forget to rate helpful posts.
New Member

Blocking MACs from VLAN access

That definitely works for the 2960 Switches.  I've already  implemented it as a partial solution.  Thanks for your help, alain.  The  2950's are exhibiting odd behaviour, however.  According to the command  reference, it's been supported since release 12.1(19)EA1:

http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_22ea/CR/cli1.html#wp4344743

The  2950s are running  Version 12.1(22)EA6.  I assume it to be a later  revision and should include the features of 12.1(19)EA1.  Still, when  entering the command:

mac address-table static 1234.5678.90ab vlan 1 drop

I am told "% Invalid input detected at...[drop]."  It only accepts a command formatted like this:

mac address-table static 1234.5678.90ab vlan 1 interface fa0/1

Which  I assume will forward traffic with the specified MAC towards the  specified interface. I wondered if there was a null interface I could  forward to to simulate the action of a drop.  Only fastethernet and port  channel interfaces are allowed, so could I create a port channel, not  assign it to any interfaces, and forward traffic to drop to port channel  6?

interface port-channel 6

no shut

exit

mac address-table static 1234.5678.90ab vlan 1 interface port-channel6

Or  is this most likely caused by the IOS version not supporting DROP and I  should upgrade to 12.1(22)EA14?  Thanks for everyone's help so far!

Purple

Blocking MACs from VLAN access

Hi,

according to configuration guide of 12.1(22)EA7 this is supported.

But you can map to an unused interface like you proposed and it will have the same effect which is blackholing trafffic from/to this MAC address.

Regards.

Alain

Don't forget to rate helpful posts.
New Member

Re: Blocking MACs from VLAN access

I tested the custom bit bucket method of sending it to a port group with no interfaces assigned.  Worked out great.  Thanks!

Also:  one of the 2950's ran Version 12.1(9)EA1.  Modifying the command with a dash as follows seems to work in the same manner.

mac-address-table static 1234.5678.90ab vlan 1 interface port-channel6

1719
Views
0
Helpful
4
Replies
CreatePlease login to create content