Have you ever wanted to get a computer off of your network? Most of us probably have at one time or another. Maybe the PC was identified as being infected with a virus. Or maybe it’s just being naughty. Whatever the reason, you do have a number of choices.
Originally, when I wanted to kick a user off of the network, I would find what port they were connected to using CAM table lookups and shut down the port. That was a somewhat effective method. It certainly kicked the computer off of the network. But it has a number of shortcomings. Such as…
- If the computer is a laptop, it has the nasty tendency of switching from wired to wireless connectivity.
- Users have the uncanny habit of not calling the helpdesk to figure out why they lost connectivity, and instead just plug into a different network port.
- If there were other devices on the same port (like an IP phone maybe), they lose connectivity as well.
So what other options do we have built into our switches that we can use to kick the user off of the network? Well, the one that I like is setting up a static CAM entry that drops traffic to/from a specific MAC address. The command for that would be “mac address-table static mac_address vlan vlan_ID drop” or “mac-address-table static mac_address vlan vlan_ID drop” (depending on your IOS rev).
So why is this better than just shutting down the port? Well, it provides the following benefits.
- The computer never actually loses link on the wired connection, so laptops may never switch over to wireless.
- The command applies across the entire switch, so users who try and plug into another nearby network port will still be blocked (assuming they still plug into the same switch).
- Other devices on the same network port as the blocked computer can still access the network just fine
As you can see, it avoids many of the negatives and limitations that just shutting down the port incurs. The last thing to consider with this is what switch is the best place to apply the command. Well, that depends on your network. If you know the user will pretty much be limited to a single switch in their immediate area, the access layer switch is a good choice. If you aren’t using chassis or stacking switches, then you may want to apply the command at the distribution layer switches. The distribution layer is also a good choice if the user is already connected wirelessly, as the laptop can roam to distant APs. The only negative of applying the command at the distribution layer is that the computer can still communicate with other computers on the same access switch in the same VLAN.
