Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Sorry it's dumb I know - how do I block a MAC on Catalyst?

Status
Not open for further replies.
GeneralDzur

GeneralDzur

Technical User
Jan 10, 2005
204
US
We've got someone who's been doing naughty things on the network, and blocking/removing him from the DHCP pool doesn't work, since he can just punch in a static IP and get out anyway.

I need to block his MAC address at the Catalyst switch. I tried setting up a named, extended MAC access-list, but it won't let me apply it to VLAN's, and there's no option to apply it to a regular interface. What do I do?

- stephan
 
Sort by date Sort by votes
Well...the long way would be to enable port security on the switch....but depending on the number of ports that could be time consuming....lock down each port to only allow a specific mac-address to connect and shutdown any unused ports. Then get a baseball bat and tell him to knock it off.
Below is a link for a catalyst 2950 series...
 
Upvote 0 Downvote
I would set it to go into error disable state and then be convieniately unavailable for a short period to unlock it for him. By the way...without to much detail what is he/she doing...?? Might help to determine a better course of action.
 
Upvote 0 Downvote
Well, the thing is that he's not plugging directly into the switch - he's plugging into a remote switch, and *eventually* he HAS to go through the Catalyst, which is the last stop before the router. And since we're using DHCP, I can't block his IP at the router.

He's been doing port scanning, UDP flooding, and also stole the IP of a legit user.

- Stephan
 
Upvote 0 Downvote
WOW.....sounds like good grounds for termination....

Is he doing this with a company furnished PC or a personal machine he is bringing in and connecting to the network with?

 
Upvote 0 Downvote
He's using a personal PC that he's plugging into our network (an Alienware actually). The problem is that he's sort of a new "local" network admin over a small uplink center. I just want his personal pc crippled off this network to prevent anything else.

- stephan
 
Upvote 0 Downvote
OK....
Setup port security on the catalyst and enter every valid mac-address to allow into that port. That should kill the Alien invasion to the HQ network. Is the switch at the remote not a catalyst?? Why does he feel the need to do this....is he trying to bypass company network restricions?? By the way...what model switch at each location and how many users at remote site?
 
Upvote 0 Downvote
Well, the thing is that he's not plugging directly into the switch - he's plugging into a remote switch"

do a "spanning-tree portfast bpduguard enable" on that interface will disable the port everytime he plugs in a switch/bridge or anything that sends BPDU. So he can only directly plugs in a PC.

"He's been doing port scanning, UDP flooding, and also stole the IP of a legit user"

If he's really the LAN admin and has the need to connect his PC to the switch, and you're sure that his PC is causing destruction to your network, then you have few things to do:

1) Personally talk to him and give him some friendly warnings
2) Check the MAC of the NIC on his PC
3) If the node is solely for his use and no other PC will connect to that node, set port security to allow his MAC only so he can't plugin another PC or spoof the MAC.
4) Do all other security configurations on the port like setting suppression on broadcast/multicast, blocking unknown unicast/multicast...etc
5) If he keeps being naughty, shut down the port and give him an official email about this with reasons and CC to your boss.
 
Upvote 0 Downvote

Well, the problem with entering EVERY valid MAC is that there are 150+ systems on the network, and I don't have to time to punch in every single one.

I have his system's MAC address, which is why I wanted to block *just* that MAC. And he is plugging into some little Linksys or D-Link 4-8 port switch that doesn't really support advanced features like port sec. But the problem with blocking his remote switch is that it would kill the other 3 or so valid users.

- Stephan
 
Upvote 0 Downvote
seems like that switch is a must and cannot be disconnected from the network, right?

If that's the case, then just use port-security and input those 3 or so valid users' MAC addresses. Again you'll have to let him know about this issue.
 
Upvote 0 Downvote
MAC address security is not the best solution ... If you have Windows XP you can always fool any router by changing local MAC address.

Let say he comes up with Laptop. Sit along with one of your employee using any machine connected to your switch. Now he will take down users MAC address... disconnect his machine with giving him some excuse. Now in his XP laptop he can change local hardware address to your employees hardware address and He is in your network.

If someone is playing in your own LAN is too difficult to solve with configurations...

I will suggest use Lamberts advice .. give him nice mail and CC to your boss.

 
Upvote 0 Downvote
Just a few thoughts......

When using the same MAC, could a static ARP entry do the trick?

Install a kind of Firewall with Intrusion Detection in his uplink. Configure it to be as restrictive as possible, without disturbing legitimate traffic.

Tell him (in your personal talk or mail) that you are monitoring him.
Make a network trace with Ethereal or Packetyzer and use this as possible future evidence against him.

HTH
Good luck.
 
Upvote 0 Downvote
I dont know static ARP will work or not ... my be not ...becouse APR only have MAC and IP relations. he can cheat both MAC as well as IP.

if you collect the evidance it will purelly against the person whose MAC id he is duplicating and not against him.

There are also flows for using instructiion detection system
..Port mirror support for switch??
Remember switch keeps MAC - IP table in its database and use the database next time for connecting 2 machines. This is how switch brakes collusion domain.

Now to sniff a trafic your switch MUST support port mirroring feature. For ex. Cisco 2950 supports only 1 port for mirroring, which puts you in trauble as you cannot check the actual traffic flow from one machine to other.

If your switch support port mirroring use a sniffer ( Network Observer is one of the best sniffer I work on but it comes for a COST ).

But using sniffer you can only monitor [pc3] what he is trying to do ... CAN NOT BLOCK HIM. [shadessad]
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

jobsp90
  • Locked
  • Question
I have a issue in my office hospital network regarding using IPPBX software.
Replies
2
Views
460
DavetheChef
DavetheChef
CPM86
  • Locked
  • Question
Cisco isr 4331 with IOS and sip busy fail over to 2nd sip number on pbx?
Replies
0
Views
517
CPM86
CPM86
WinstonCH
  • Locked
  • Helpful tip
What is wrong with the diagram, there are people who will help to fix it? How do i do the configurat 1
Replies
1
Views
853
BIS
BIS
Skip Rango
  • Locked
  • Question
how to backup cisco sg500-52p switch
Replies
1
Views
734
madwok
madwok
testman1
  • Locked
  • Question
SIP telephone ring on second call
Replies
0
Views
411
testman1
testman1

Part and Inventory Search

Sponsor

Back
Top