Is there a way to deny a specific MAC address on the network internet access? I know that if we statically assign him an IP address and reserve it on the DHCP server that we could apply the "access-list 101 deny tcp any host <ip address> eq 80 and 443" but Im curious to know if there is a way deny IP packets at Layer 2. Also, we use a MAC ACL for access to our network and I know that you can only assign one MAC ACL to an interface so that might be a limitation as well. Im pretty sure it wont be possible but wanted to confirm with you guys.
I don't see why a mac acl wouldn't work.
MAC ACL, yes. If you have a NAC system, it can assign a MAC ACL that follows that MAC wherever it plugs into. If it has both wired and wireless, you want a MAC ACL for both MACs on that device.
Unfortunately, no NAC system here. I guess I would just add the line to our current MAC ACL.
So would it look like this:
(config)#mac access-list extended <name>
(config-mac-acl)# deny host <mac address> eq 80 <--this to deny internet to the particular host
(config-mac-acl)# permit host <mac address> any <-- we currently use this MAC ACL to access our network for about 50 machines
Thanks!
Quote from: flipmode on February 16, 2016, 11:51:29 AM
but Im curious to know if there is a way deny IP packets at Layer 2.
No there is no way to deny IP packets at Layer 2. this is due for the simple reason, that there are no IP packets at layer 2.
they are all frames. :problem?:
MAC access-lists would be the way to go, but do include other port variants such as 443, 8080,