[c-nsp] Blocking "bad users" based on MAC Address

schilling schilling2006 at gmail.com
Tue Mar 24 15:51:19 EDT 2009 

You can just do

mac-address-table static 0016.6f99.9e61 vlan 3030 drop.

Schilling

On Tue, Mar 24, 2009 at 3:42 PM, Rick Coloccia <coloccia at geneseo.edu> wrote:
> Is anyone doing anything like this in a Catalyst 6500?  I'm running a sup
> 720 with ios 12.2(33)SXH4. I have a "bad user" that I need to block,
> regardless of where or how they connect to the lan.  I hoped that by
> blocking their mac address, where-ever it may appear, I might be able to
> accomplish what I need. This doesn't seem to work on my test device.  My gut
> tells me that the problem is in my mac address acl.  Thoughts? Other ways to
> do this?
> Thanks!
> -Rick
>
> mac access-list extended AllDevices
> permit any any
> mac access-list extended BadDevices
> permit host 0016.6f99.9e61 any
> permit any host 0016.6f99.9e61
> !
> !
> vlan access-map DropBadDevices 10
> match mac address BadDevices
> action drop
> vlan access-map DropBadDevices 20
> match mac address AllDevices
> action forward
> !
> vlan filter DropBadDevices vlan-list 3030
>
>
> c6513#show run int vlan 3030
> interface Vlan3030
> description ~VLAN 3030 - Encrypted Wireless
> ip dhcp relay information trusted
> ip address 137.238.100.1 255.255.252.0
> ip helper-address 137.238.1.16
> ip flow ingress
> ip pim sparse-dense-mode
> end
>
>
> c6513#show vlan access-map DropBadDevices
> Vlan access-map "DropBadDevices"  10
>       match: mac address BadDevices
>       action: drop
> Vlan access-map "DropBadDevices"  20
>       match: mac address AllDevices
>       action: forward
>
> c6513#show vlan filter vlan 3030
> Vlan 3030 has filter DropBadDevices.
>       filter is active
>
> c6513#show vlan filter acc     c6513#show vlan filter access-map
> DropBadDevices
> VLAN Map DropBadDevices:
>       Configured on VLANs:  3030
>           Active on VLANs:  3030
>
> c6513#show mac-address-table | include 9e61
> * 3030  0016.6f99.9e61   dynamic  Yes          0   Po1
>
>
> --
> Rick Coloccia, Jr.
> Network Manager
> State University of NY College at Geneseo
> 1 College Circle, 119 South Hall
> Geneseo, NY 14454
> V: 585-245-5577
> F: 585-245-5579
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list