[c-nsp] Blocking "bad users" based on MAC Address
Rick Coloccia
coloccia at geneseo.edu
Tue Mar 24 16:11:20 EDT 2009
oh, thank you, I see how direct and precise this is, and if I wanted to
drop the person in several vlans, I assume I could do
mac-address-table static 0016.6f99.9e61 vlan 3030 drop
mac-address-table static 0016.6f99.9e61 vlan 3010 drop
mac-address-table static 0016.6f99.9e61 vlan 3020 drop
but would that begin to be bad regarding how much impact that would have on the core itself? Is there a more appropriate way for me to do what I need as this scales, so when I have 4, 5, or 10 mac addresses I'm blocking on several vlans?
Thanks, all!
-Rick
schilling wrote:
> You can just do
>
> mac-address-table static 0016.6f99.9e61 vlan 3030 drop.
>
> Schilling
>
> On Tue, Mar 24, 2009 at 3:42 PM, Rick Coloccia <coloccia at geneseo.edu> wrote:
>
>> Is anyone doing anything like this in a Catalyst 6500? I'm running a sup
>> 720 with ios 12.2(33)SXH4. I have a "bad user" that I need to block,
>> regardless of where or how they connect to the lan. I hoped that by
>> blocking their mac address, where-ever it may appear, I might be able to
>> accomplish what I need. This doesn't seem to work on my test device. My gut
>> tells me that the problem is in my mac address acl. Thoughts? Other ways to
>> do this?
>> Thanks!
>> -Rick
>>
>> mac access-list extended AllDevices
>> permit any any
>> mac access-list extended BadDevices
>> permit host 0016.6f99.9e61 any
>> permit any host 0016.6f99.9e61
>> !
>> !
>> vlan access-map DropBadDevices 10
>> match mac address BadDevices
>> action drop
>> vlan access-map DropBadDevices 20
>> match mac address AllDevices
>> action forward
>> !
>> vlan filter DropBadDevices vlan-list 3030
>>
>>
>> c6513#show run int vlan 3030
>> interface Vlan3030
>> description ~VLAN 3030 - Encrypted Wireless
>> ip dhcp relay information trusted
>> ip address 137.238.100.1 255.255.252.0
>> ip helper-address 137.238.1.16
>> ip flow ingress
>> ip pim sparse-dense-mode
>> end
>>
>>
>> c6513#show vlan access-map DropBadDevices
>> Vlan access-map "DropBadDevices" 10
>> match: mac address BadDevices
>> action: drop
>> Vlan access-map "DropBadDevices" 20
>> match: mac address AllDevices
>> action: forward
>>
>> c6513#show vlan filter vlan 3030
>> Vlan 3030 has filter DropBadDevices.
>> filter is active
>>
>> c6513#show vlan filter acc c6513#show vlan filter access-map
>> DropBadDevices
>> VLAN Map DropBadDevices:
>> Configured on VLANs: 3030
>> Active on VLANs: 3030
>>
>> c6513#show mac-address-table | include 9e61
>> * 3030 0016.6f99.9e61 dynamic Yes 0 Po1
>>
>>
>> --
>> Rick Coloccia, Jr.
>> Network Manager
>> State University of NY College at Geneseo
>> 1 College Circle, 119 South Hall
>> Geneseo, NY 14454
>> V: 585-245-5577
>> F: 585-245-5579
>>
>> _______________________________________________
>> cisco-nsp mailing list cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>>
--
Rick Coloccia, Jr.
Network Manager
State University of NY College at Geneseo
1 College Circle, 119 South Hall
Geneseo, NY 14454
V: 585-245-5577
F: 585-245-5579
More information about the cisco-nsp
mailing list