[c-nsp] Blocking "bad users" based on MAC Address

Rick Coloccia coloccia at geneseo.edu
Tue Mar 24 16:11:20 EDT 2009 

oh, thank you, I see how direct and precise this is, and if I wanted to 
drop the person in several vlans, I assume I could  do

mac-address-table static 0016.6f99.9e61 vlan 3030 drop
mac-address-table static 0016.6f99.9e61 vlan 3010 drop
mac-address-table static 0016.6f99.9e61 vlan 3020 drop

but would that begin to be bad regarding how much impact that would have on the core itself? Is there a more appropriate way for me to do what I need as this scales, so when I have 4, 5, or 10 mac addresses I'm blocking on several vlans?

Thanks, all!

-Rick



schilling wrote:
> You can just do
>
> mac-address-table static 0016.6f99.9e61 vlan 3030 drop.
>
> Schilling
>
> On Tue, Mar 24, 2009 at 3:42 PM, Rick Coloccia <coloccia at geneseo.edu> wrote:
>   
>> Is anyone doing anything like this in a Catalyst 6500?  I'm running a sup
>> 720 with ios 12.2(33)SXH4. I have a "bad user" that I need to block,
>> regardless of where or how they connect to the lan.  I hoped that by
>> blocking their mac address, where-ever it may appear, I might be able to
>> accomplish what I need. This doesn't seem to work on my test device.  My gut
>> tells me that the problem is in my mac address acl.  Thoughts? Other ways to
>> do this?
>> Thanks!
>> -Rick
>>
>> mac access-list extended AllDevices
>> permit any any
>> mac access-list extended BadDevices
>> permit host 0016.6f99.9e61 any
>> permit any host 0016.6f99.9e61
>> !
>> !
>> vlan access-map DropBadDevices 10
>> match mac address BadDevices
>> action drop
>> vlan access-map DropBadDevices 20
>> match mac address AllDevices
>> action forward
>> !
>> vlan filter DropBadDevices vlan-list 3030
>>
>>
>> c6513#show run int vlan 3030
>> interface Vlan3030
>> description ~VLAN 3030 - Encrypted Wireless
>> ip dhcp relay information trusted
>> ip address 137.238.100.1 255.255.252.0
>> ip helper-address 137.238.1.16
>> ip flow ingress
>> ip pim sparse-dense-mode
>> end
>>
>>
>> c6513#show vlan access-map DropBadDevices
>> Vlan access-map "DropBadDevices"  10
>>       match: mac address BadDevices
>>       action: drop
>> Vlan access-map "DropBadDevices"  20
>>       match: mac address AllDevices
>>       action: forward
>>
>> c6513#show vlan filter vlan 3030
>> Vlan 3030 has filter DropBadDevices.
>>       filter is active
>>
>> c6513#show vlan filter acc     c6513#show vlan filter access-map
>> DropBadDevices
>> VLAN Map DropBadDevices:
>>       Configured on VLANs:  3030
>>           Active on VLANs:  3030
>>
>> c6513#show mac-address-table | include 9e61
>> * 3030  0016.6f99.9e61   dynamic  Yes          0   Po1
>>
>>
>> --
>> Rick Coloccia, Jr.
>> Network Manager
>> State University of NY College at Geneseo
>> 1 College Circle, 119 South Hall
>> Geneseo, NY 14454
>> V: 585-245-5577
>> F: 585-245-5579
>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>>     

-- 
Rick Coloccia,  Jr.
Network Manager
State University of NY College at Geneseo
1 College Circle, 119 South Hall
Geneseo, NY 14454
V: 585-245-5577
F: 585-245-5579

More information about the cisco-nsp mailing list