Deny particular MAC address internet access

Started by flipmode, February 16, 2016, 11:51:29 AM

Previous topic - Next topic

flipmode

Is there a way to deny a specific MAC address on the network internet access? I know that if we statically assign him an IP address and reserve it on the DHCP server that we could apply the "access-list 101 deny tcp any host <ip address> eq 80 and 443" but Im curious to know if there is a way deny IP packets at Layer 2. Also, we use a MAC ACL for access to our network and I know that you can only assign one MAC ACL to an interface so that might be a limitation as well. Im pretty sure it wont be possible but wanted to confirm with you guys.

srg

som om sinnet hade svartnat för evigt.

deanwebb

MAC ACL, yes. If you have a NAC system, it can assign a MAC ACL that follows that MAC wherever it plugs into. If it has both wired and wireless, you want a MAC ACL for both MACs on that device.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

flipmode

Unfortunately, no NAC system here. I guess I would just add the line to our current MAC ACL.

So would it look like this:

(config)#mac access-list extended <name>
(config-mac-acl)# deny host <mac address> eq 80 <--this to deny internet to the particular host
(config-mac-acl)# permit host <mac address> any  <-- we currently use this MAC ACL to access our network for about 50 machines

Thanks!

icecream-guy

Quote from: flipmode on February 16, 2016, 11:51:29 AM
but Im curious to know if there is a way deny IP packets at Layer 2.

No there is no way to deny IP packets at Layer 2. this is due for the simple reason, that there are no IP packets at layer 2.
they are all frames.    :problem?:

MAC access-lists would be the way to go, but do include other port variants such as 443, 8080,
:professorcat:

My Moral Fibers have been cut.