Block Access to Internet via mac?

I have an Cisco ASA 5510 firewall and I'd like to setup a rule to block Internet access to several specific machines on the network.  How can I do this using their MAC address?

Thanks in advance.
ARSCOAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

bkepfordCommented:
Just a question, Is the machines that you want to block on the same network segment as the ASA? If not it won't work. (Not sure you can do it on an ASA) but you can do it from a Cisco switch. You may be able to block it at the router that is attached to the same segment.
 
0
ARSCOAuthor Commented:
Actually no.  They are on a separate VLAN.  I know I can do a mac-address-table static MAC Vlan # drop on a switch.  However I don't have a cisco switch before the ASA I can do this on.
0
bkepfordCommented:
Once you leave the VLAN the MAC address of the offending machine is no longer apart of the packet. Is their anything on the vlan that the ASA is on that the machines you want to block would need?
Secondly just out of curiosity why don't you do a reservation on your DHCP server and then just block by IP?
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ARSCOAuthor Commented:
Guess Reservation is the way I'm gonna have to do it.  I haven't worked with access-lists before.  Can you point to some place I can better understand them, or let me know what commands I will need to setup?

Thanks
0
bkepfordCommented:
First off you always apply the ACL inbound on the interface closest to the traffic this would be a simple acl applied to the inbound direction of your inside interface.
 Here is a link:
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/traffic.html
 
access-list INSIDE extended deny ip 10.1.1.1 255.255.255.0 any
access-list INSIDE extended permit ip any any
access-group INSIDE in interface inside
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.