Solved

How to block a single MAC Address

  • 28 October 2020
  • 6 replies
  • 69 views

Userlevel 2

Hi,

I work in a school that has Pre-K all the way through to 12th grade.

 

We have been experiencing issues, where people will get bumped off the wifi, or they will connect but not get an IP address.  Also, the normally green cloud next to the AP, goes red.  I jump into the firewall and connection diagnostic, and see a computer that is sending and receiving a massive amount of data.  

I believe this may be deliberate, and to test this theory, I want to block their MAC Address within ExtremeIQ, and see if the issue clears up.  Can someone tell me how to do that within the ExtremeIQ interface? please?

many thanks in advance, J.

icon

Best answer by systemscsn 5 November 2020, 13:43

Hi,

 

I went another route, as I did not want to risk the devices needing a reboot with that configuration change.  So I enabled the Deny Filter within DHCP.  From what i have read about DHCP and Windows Server 2012, its best to only Enable the Deny, as people have run into issue with the DHCP Server Service when enabling both Allow Filter and Deny Filter.

 

If anyone is interested, here is the official Microsoft link:

https://social.technet.microsoft.com/wiki/contents/articles/25665.how-to-enable-and-configure-dhcp-mac-address-filtering.aspx

 

As i said though, many comments in many other articles said they had Service issues with both enabled, so be careful.  The article above doesn't mention any issues enabling both. 

 

I thought it easier to enable the Deny list at the DHCP level, although that adds a hop, as the client would connect to the AP, then try to get an IP address, only to be denied.  Hopefully any clients on the Deny Filter do not take up a lot of air time with the Access Point.  So far, ive only added a few devices that seem to either be teaming their Ethernet and their WiFi adapters or bridging those connections (they have an IP for Ethernet and an IP for wifi), and i added their wifi MAC address to the Deny Filter, so they can only get on Ethernet.

 

Thanks,

J

View original

6 replies

Userlevel 5

Hi J, this guide reviews how to create a MAC filter to block certain MAC addresses: https://extremeportal.force.com/ExtrArticleDetail?n=000046577&q=Block%20mac%20address

Userlevel 2

Thanks Sam.  I appreciate the article, I was in the ballpark when looking for that setting.

 

Do I really have to push a full config, and restart all the AP’s!  we have a…. LOT of them, and i obviously cant do that during the day.  

 

Any reason this cant be a delta push? So I don't have to restart all the AP’s?

 

J.

Userlevel 5

You can certainly try a delta push, it won’t hurt or interrupt anything if it doesn’t go through. You would see an update failure on the AP, but that will go away when you do the complete update at a later time. 

Userlevel 2

I disabled DNS (as we do it via DHCP) and pushed that as a delta, and all the AP’s took it.  So, im hopeful that it will work with this Mac filter as well.

Its a MacBook Pro 8 that I noted “pegging” our network, 130-190MB’s and I believe that is what is causing the issue I posted about.  I believe that is the latest model of MacBook, so its possible Apple has changed how their wifi/antennas work, and it could be just blasting the AP, and trying to get as much data as possible, without regard to other clients on the AP or network.  Ill probably have to dig on Apples website. Although the web IP they were trying to hit up with all that traffic belongs to the AKAMAI company.  Know of anyone experiencing issue with their wifi due to macbook 8’s?

 

thanks again, J.

Userlevel 5

I haven’t heard of any issues with MacBook Pro 8’s, but that might be a good topic for a new post, just to see if any other community members are experiencing the same thing. 

Userlevel 2

Hi,

 

I went another route, as I did not want to risk the devices needing a reboot with that configuration change.  So I enabled the Deny Filter within DHCP.  From what i have read about DHCP and Windows Server 2012, its best to only Enable the Deny, as people have run into issue with the DHCP Server Service when enabling both Allow Filter and Deny Filter.

 

If anyone is interested, here is the official Microsoft link:

https://social.technet.microsoft.com/wiki/contents/articles/25665.how-to-enable-and-configure-dhcp-mac-address-filtering.aspx

 

As i said though, many comments in many other articles said they had Service issues with both enabled, so be careful.  The article above doesn't mention any issues enabling both. 

 

I thought it easier to enable the Deny list at the DHCP level, although that adds a hop, as the client would connect to the AP, then try to get an IP address, only to be denied.  Hopefully any clients on the Deny Filter do not take up a lot of air time with the Access Point.  So far, ive only added a few devices that seem to either be teaming their Ethernet and their WiFi adapters or bridging those connections (they have an IP for Ethernet and an IP for wifi), and i added their wifi MAC address to the Deny Filter, so they can only get on Ethernet.

 

Thanks,

J

Reply