How to block a list of Mac-Addresses on Enterasys Switches (CLI)


I received a task to "block" a list of mac addresses on my environment, and I don't know how to do it on Enterasys CLI (C3 and A2 models). I've watched the video where shows how to do it using MACLOCK on Netsight, but unfortunately I don't have this software here. Could someone help me with this issue?

I already appreciate any help!

3 replies

Hello Guimaraes.Make sure you know all the uplink in the disered switch and DO NOT apply the bellow configs to a link that connects to other switches.

set maclock enable
set maclock trap ge.X.X enable violation

set spantree adminedge ge.X.X true

set maclock enable ge.X.X

set maclock firstarrival ge.X.X 1

To know who is connected to who use:

show neighbors

In case of duvidas im glad to help.
MACLOCK is one way to do it but it has a lot of other effects that you may be after....and in the end it does not actually block any MAC addresses. The way I have handled this is to create a "Black Hole" VLAN -- in my case I use 999 -- to nowhere and then create MAC-to-VLAN associations on the switch stack. This way, whenever a device with a banned MAC connects, it's associated with a VLAN that has no routing, no DHCP, etc.

Here's the config:

set vlan create 999
set vlan name "BLACK HOLE"
set vlan dynamicegress 999 enable
set vlan association mac 00112233445566 999 <--repeat this for each banned MAC, where of course I'm using 00112233445566 as the example

Hope this helps.
Userlevel 4
also a video on What is SpanGuard and How To Configure it on Enterasys Switches
by Jason Parker
https://www.youtube.com/watch?v=euUa_5Rv-Uc

Reply