[c-nsp] Blocking "bad users" based on MAC Address

Phil Mayers p.mayers at imperial.ac.uk
Wed Mar 25 06:32:04 EDT 2009


Rick Coloccia wrote:
> oh, thank you, I see how direct and precise this is, and if I wanted
> to drop the person in several vlans, I assume I could  do
> 
> mac-address-table static 0016.6f99.9e61 vlan 3030 drop 
> mac-address-table static 0016.6f99.9e61 vlan 3010 drop 
> mac-address-table static 0016.6f99.9e61 vlan 3020 drop

Yes

> 
> but would that begin to be bad regarding how much impact that would
> have on the core itself? Is there a more appropriate way for me to do

They're just FDB entries.

> what I need as this scales, so when I have 4, 5, or 10 mac addresses
> I'm blocking on several vlans?

Some kind of MAC auth - so MAB to a radius server, or VMPS (avoid).


More information about the cisco-nsp mailing list