![cisco switch blacklist mac address cisco switch blacklist mac address](https://www.cisco.com/c/dam/en/us/support/docs/smb/switches/cisco-550x-series-stackable-managed-switches/images/gss-cliupgrade-05102017-step5.png)
I save this, then I add the Execute bit with chmod +x /usr/local/sbin/dhcpd-macblock.py, and set a cron job that feeds the blacklist into the script every hour: cat /etc/blacklist.txt | dhcpd-macblock.pyĮvery hour, it goes through, creating a new file with all the MAC addresses blocked that I don't want, and they don't even get a DHCP reservation, and my spots are slowly freeing up.Īs far as I know it is not possible to do except to use something like etables as was suggested, with the additional bookkeeping. Print OUT "subclass \"blacklist\" 1:$i \n" In my /etc/dhcp/nf file, I create a new class near the top: class "blacklist" )$/) $_) It takes the regular blacklist (one MAC address per line) that I also spit into iptables, and just creates the new pool. One of the other techs helped me make a script to parse through the blacklist of IP Addresses, and add them to a new pool, which gives out no IP address whatsover.
#CISCO SWITCH BLACKLIST MAC ADDRESS UPDATE#
I want to be able to update the MACs in one file, and then possibly run a script that will add the changes to my DHCP file, and my iptables rules.Īlthough I think using ebtables may be the answer, it's another layer that I did not want to add to my configuration. This would work, but requires updating the MAC addresses in multiple places, which I don't want. One solution (well, partial) that someone thought up was to create a blackhole class in my /etc/dhcp/nf file, and fill it with the MAC addresses of the devices I don't want connecting. Yes, I know I could increase the range on my DHCP server, but I want management to realize the struggle with managing the privately-owned devices taking up our work resources by connecting and bypassing our captive portal. So, my issue is, how can I prevent them from even getting an IP address assigned to them? Yes, I know they could just assign themselves a static IP address and bypass the DHCP server, but I still want iptables to block them, based on their (hopefully non-changing) MAC address.
![cisco switch blacklist mac address cisco switch blacklist mac address](https://content.spiceworksstatic.com/service.community/p/how_to_step_attachments/0000125239/5ad95ba9/attached_file/351e7fe17b09ff4ab67a2e3e823c28836eadee4a84c3a03b0d638c247f54c252_step_one.png)
Unfortunately, it does not take effect until after the device has gotten an IP address from isc-dhcp-server. This will prevent their device from connecting to our network resources, and to the Internet. I update /etc/blacklist.txt, and when iptables starts, it executes iptables -A INPUT $if -m mac -mac-source $i -j DROP (with $i being read from the file). With these scripts, I can create a blacklist of MAC addresses and iptables blocks them for me. I have scripts (written by other team members, not myself!) that go through the DHCP leases on Debian Wheezy, and spit out the manufacturer, the DNS name, IP Address, and the MAC address of all the devices the DHCP server interacts with. The key has been leaked long before I came to this job, and I have most things cleaned up.
![cisco switch blacklist mac address cisco switch blacklist mac address](https://static.tp-link.com/res/upfile/faq/20160107060125.png)
On the Public side, the users need to authenticate with a captive portal with a username/password combo from our server (for our staff's personal devices only). The Private side has access to see other computers, the printers, servers, and access to the Internet. At my workplace, we have a Public Wifi network, as well as our Private Wifi network.