[c-nsp] Blocking "bad users" based on MAC Address
Rick Coloccia
coloccia at geneseo.edu
Tue Mar 24 15:42:46 EDT 2009
Is anyone doing anything like this in a Catalyst 6500? I'm running a
sup 720 with ios 12.2(33)SXH4. I have a "bad user" that I need to block,
regardless of where or how they connect to the lan. I hoped that by
blocking their mac address, where-ever it may appear, I might be able to
accomplish what I need.
This doesn't seem to work on my test device. My gut tells me that the
problem is in my mac address acl. Thoughts? Other ways to do this?
Thanks!
-Rick
mac access-list extended AllDevices
permit any any
mac access-list extended BadDevices
permit host 0016.6f99.9e61 any
permit any host 0016.6f99.9e61
!
!
vlan access-map DropBadDevices 10
match mac address BadDevices
action drop
vlan access-map DropBadDevices 20
match mac address AllDevices
action forward
!
vlan filter DropBadDevices vlan-list 3030
c6513#show run int vlan 3030
interface Vlan3030
description ~VLAN 3030 - Encrypted Wireless
ip dhcp relay information trusted
ip address 137.238.100.1 255.255.252.0
ip helper-address 137.238.1.16
ip flow ingress
ip pim sparse-dense-mode
end
c6513#show vlan access-map DropBadDevices
Vlan access-map "DropBadDevices" 10
match: mac address BadDevices
action: drop
Vlan access-map "DropBadDevices" 20
match: mac address AllDevices
action: forward
c6513#show vlan filter vlan 3030
Vlan 3030 has filter DropBadDevices.
filter is active
c6513#show vlan filter acc
c6513#show vlan filter access-map DropBadDevices
VLAN Map DropBadDevices:
Configured on VLANs: 3030
Active on VLANs: 3030
c6513#show mac-address-table | include 9e61
* 3030 0016.6f99.9e61 dynamic Yes 0 Po1
--
Rick Coloccia, Jr.
Network Manager
State University of NY College at Geneseo
1 College Circle, 119 South Hall
Geneseo, NY 14454
V: 585-245-5577
F: 585-245-5579
More information about the cisco-nsp
mailing list