Deny particular MAC address internet access

flipmode · February 16, 2016, 11:51:29 AM

Is there a way to deny a specific MAC address on the network internet access? I know that if we statically assign him an IP address and reserve it on the DHCP server that we could apply the "access-list 101 deny tcp any host <ip address> eq 80 and 443" but Im curious to know if there is a way deny IP packets at Layer 2. Also, we use a MAC ACL for access to our network and I know that you can only assign one MAC ACL to an interface so that might be a limitation as well. Im pretty sure it wont be possible but wanted to confirm with you guys.

srg · February 16, 2016, 11:59:31 AM

I don't see why a mac acl wouldn't work.

deanwebb · February 16, 2016, 12:06:46 PM

MAC ACL, yes. If you have a NAC system, it can assign a MAC ACL that follows that MAC wherever it plugs into. If it has both wired and wireless, you want a MAC ACL for both MACs on that device.

flipmode · February 16, 2016, 12:20:47 PM

Unfortunately, no NAC system here. I guess I would just add the line to our current MAC ACL.

So would it look like this:

(config)#mac access-list extended <name>
(config-mac-acl)# deny host <mac address> eq 80 <--this to deny internet to the particular host
(config-mac-acl)# permit host <mac address> any <-- we currently use this MAC ACL to access our network for about 50 machines

Thanks!

icecream-guy · February 16, 2016, 01:55:44 PM

Quote from: flipmode on February 16, 2016, 11:51:29 AM
but Im curious to know if there is a way deny IP packets at Layer 2.

No there is no way to deny IP packets at Layer 2. this is due for the simple reason, that there are no IP packets at layer 2.
they are all frames.

MAC access-lists would be the way to go, but do include other port variants such as 443, 8080,

Deny particular MAC address internet access

flipmode

srg

deanwebb

flipmode

icecream-guy