Re: [fw-wiz] MAC blocking

From: Chris Byrd (
Date: 11/29/05

To: Eric Appelboom <>
Date: Mon, 28 Nov 2005 17:00:30 -0600

If you are avoiding 802.1x and NAC/NAP due to cost of replacing
existing switches, you might consider (assuming a largely Microsoft
environment) what Microsoft calls "Domain Isolation" using IPsec:

I'd stay away from any MAC based solution, as spoofing a MAC address is trivial.


On 11/25/05, Eric Appelboom <> wrote:
> Hi
> I would like to white list known MAC address on a subnet and block\deny
> any new MACs.
> If a new MAC is seen the firewall it should not allow that MAC to pass
> traffic out that segment\vlan.
> A similar concept to MAC address locking on Wifi AP's
> It would be great to have this as a feature on a protected segment of a
> firewall.
> One could script a diff on files containing arp entries and then arp
> poison the IP associated
> to the new MAC (not the correct way) or spoof or bind the offending MAC
> with ifconfig\macmakeup\SMAC and bind to secondary interface.
> Any better ideas?   (no 802.1x NAC\NAP please)
> Regards
> Eric
> _______________________________________________
> firewall-wizards mailing list
firewall-wizards mailing list