How to block a list of Mac-Addresses on Enterasys Switches (CLI)

  • 0
  • 1
  • Question
  • Updated 2 years ago
  • Answered
I received a task to "block" a list of mac addresses on my environment, and I don't know how to do it on Enterasys CLI (C3 and A2 models). I've watched the video where shows how to do it using MACLOCK on Netsight, but unfortunately I don't have this software here. Could someone help me with this issue?

I already appreciate any help!
Photo of Michel Braga Guimaraes

Michel Braga Guimaraes

  • 194 Points 100 badge 2x thumb
  • frustated

Posted 3 years ago

  • 0
  • 1
Photo of Bruno


  • 130 Points 100 badge 2x thumb
Hello Guimaraes.

Make sure you know all the uplink in the disered switch and DO NOT apply the bellow configs to a link that connects to other switches.

set maclock enable
set maclock trap ge.X.X enable violation

set spantree adminedge ge.X.X true

set maclock enable ge.X.X

set maclock firstarrival ge.X.X  1

To know who is connected to who use:

show neighbors

In case of duvidas im glad to help.

Photo of Paul Bell

Paul Bell

  • 60 Points
MACLOCK is one way to do it but it has a lot of other effects that you may be after....and in the end it does not actually block any MAC addresses.  The way I have handled this is to create a "Black Hole" VLAN -- in my case I use 999 -- to nowhere and then create MAC-to-VLAN associations on the switch stack. This way, whenever a device with a banned MAC connects, it's associated with a VLAN that has no routing, no DHCP, etc.

Here's the config:

set vlan create 999
set vlan name "BLACK HOLE"
set vlan dynamicegress 999 enable
set vlan association mac 00112233445566 999 <--repeat this for each banned MAC, where of course I'm using 00112233445566 as the example

Hope this helps.
Photo of Jason Parker

Jason Parker, Employee

  • 2,898 Points 2k badge 2x thumb
also a video on What is SpanGuard and How To Configure it on Enterasys Switches
by Jason Parker