How do I block certain MAC addresses on Extreme Summit Switches?

  • 0
  • 1
  • Question
  • Updated 2 years ago
  • Answered
I want to be able to block certain MAC addresses on my Extreme Switches.  I want ot stop certain devices from being able to connect to my network
Photo of Vince MacNeil

Vince MacNeil

  • 80 Points 75 badge 2x thumb

Posted 4 years ago

  • 0
  • 1
Photo of PARTHIBAN CHINNAYA

PARTHIBAN CHINNAYA, Alum

  • 4,362 Points 4k badge 2x thumb
Hello
You can use an ACL to block.
But there are much better options available.
Use Mac limit learning and allow only specific Mac address .based on your requirement exos has multiple options .
ACL is the easiest .
Photo of Vince MacNeil

Vince MacNeil

  • 80 Points 75 badge 2x thumb
i have a list of MAC addresses I want want blocked.  Do you have the command?
Photo of Paul Russo

Paul Russo, Alum

  • 9,694 Points 5k badge 2x thumb
Vince  In order to block certain MAC addresses use the FDB blackhole.  This is a permanent static entry in the Fowarding DataBase table.  The command is create fdbentry mac_addr vlan vlan_name [ports port_list {tagged tag} | blackhole]

blackhole Enables the blackhole option. Any packets with either a source MAC address
or a destination MAC address matching the FDB entry are dropped.

Hope that helps

P
Photo of Prateek Shukla

Prateek Shukla

  • 80 Points 75 badge 2x thumb
Hi..Paul...I want block the end users mac address in extreme WiFi wm3400 controller...so is there any command or option for the same
??
 
Photo of Paul Russo

Paul Russo, Alum

  • 9,694 Points 5k badge 2x thumb
Hello Prateek Yes there are two ways to do this.  If the traffic is locally bridged at the AP then you can do the same command to stop them on the wired network.  You can also block them in the AP by adding their MAC into the wireless firewall.  Please check out the WM_5.4_Controller_reference_guide to see step by step process.

Thanks
P
Photo of Mrxlazuardin

Mrxlazuardin

  • 1,464 Points 1k badge 2x thumb
Hi Paul,

is it possible to set FDB entry to blackhole for such MAC addresses but for all VLANs (or many VLANs) without defining each MAC address one per VLAN?

Best regards,
Photo of Paul Russo

Paul Russo, Alum

  • 9,694 Points 5k badge 2x thumb
Hey Lazuardi.

Unfortunately if you use the create FDB command to blackhole a MAC you have to specify the VLAN so you would have to execute the command for all of the VLANS.

If you use an ACL you would still have to apply it to a VLAN or to all of the ports.  When configuring an ACL on a port you can only have one policy file per port.


Hope that helps
P
Photo of shashank sharma

shashank sharma

  • 222 Points 100 badge 2x thumb
Hi Paul,

we are using one L3 switch and 10 L2 switch in our organization. I would like to allow particular user through access list .So,is it possible for me if i create a ACL on L3 switch and its working for all users who are connected through our L2 switches.
Photo of Kawawa

Kawawa, GTAC

  • 3,150 Points 3k badge 2x thumb
Hi Shashank, yes you can create an ACL on the L3 switch to filter out specific streams arriving from the edge switches.  If the 10 L2 switches terminate into a single VLAN on the L3 switch, you could create a single ACL and assign to the ingress traffic of the VLAN, otherwise, a single ACL could be created and applied to the ingress traffic of multiple ports.  In the commands below, I <acl-policy-name> refers to a policy file you'd have to create on the L3 switch
configure access-list <acl-policy-name> vlan <vlan-name> ingress
configure access-list <acl-policy-name> ports <port-list> ingress
How to create ACLs in EXOS