Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

MAC ACL / BLOCKING

Hi,
I wish Ironport will add to the WSA feature to allow MAC blocking .,,reason was if a client had no active directory..theyre purely on freeware like linux or so..


just suggesting :-)

4 REPLIES
New Member

Re: MAC ACL / BLOCKING

I have filed the following enhancement to make sure this gets some official visibility:

40523 - Enhancement: Ability to create policies using MAC addresses as source triggers

New Member

Re: MAC ACL / BLOCKING

Unfortunately MAC blocking adds very little value in most environments.

By their nature, MAC addresses are only visible on a local subnet, and thus in order to do anything based on MAC address you would need all clients and the WSA itself to be physically located on the same network segment, which is going to be a very unusual setup in everything but the most small networks.

If you want to do any level of control by MAC address the best way is to use a DHCP server to do static MAC-IP address mappings, and then block the users on the IronPort using the IP address.

New Member

MAC ACL / BLOCKING

In some unusual cases like a client doesnt have a static configuration environment...theyve got dhcp network type of setup and yes its very odd on this kind of client .

This is i guess a rare case where a client doesnt have an AD...where WSA can be configured to do LDAP authentication or SSO..

The reason why i posted this topic is to address some clients if they do need MAC blocking.

I recommended to the client to have an AD for the LDAP authentication or
create a pool for users with internet access and without internet so WSA can determine via its IP ranges from the dhcp pool that was created.

my 5 cents :-)

New Member

Re: MAC ACL / BLOCKING

In some unusual cases like a client doesnt have a static configuration environment...theyve got dhcp network type of setup and yes its very odd on this kind of client


But are all of the clients on the same physical network (ie, same single IP range) as the WSA? If they aren't, and they go through a router to get to the IronPort, then the IronPort will only see the MAC address of the router - not the client.

The concept of MAC addresses (for any purpose) only makes sense for systems on the same network segment (ie, same "collision domain") - beyond that MAC addresses are not used.

320
Views
0
Helpful
4
Replies