?
Solved

Cisco LAN MAC address security

Posted on 2004-10-07
5
Medium Priority
?
300 Views
Last Modified: 2010-04-11
Does anyone know of a centralized solution (apart from Cisco URT) that will allow me to baseline all the MAC addresses currently on a WAN without having to manually collect them and type them into a filter list on multiple switches, and after will then prevent any new MAC addresses from attaching to the network without authorization?
0
Comment
Question by:dommurray
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 1500 total points
ID: 12252397
You can use Solarwinds Switchport mapper to get a current map (excel spreadsheet) of all of your existing MAC address/IP address mappings, but there is nothing in it that will enforce "no new mac's"..
The URT is the tool of choice if you're doing this company-wide across a WAN..
If you've got systems that don't happen to be on at the time you run the baseline, they won't show up.
Set your port security to only allow one mac address, set it for 'sticky'. Any port that shows as down at the time you run the baseline, go in and disable them until/unless someone provides you the MAC. Very manual process without the autmoated URT tool or something like it..
0
 
LVL 10

Expert Comment

by:winzig
ID: 12262652
there is better sollutiuon than MAC filtering, you can deploy 802.1x and each before any pc will be connected to your network have to be authenticated(using the smard card, domain credentials, certificate ....)
0
 
LVL 1

Author Comment

by:dommurray
ID: 12265940
Will 802.1x stop a machine getting an IP address from DHCP and therefore spreading whatever infection it may have over my IP network? I am wondering about any worms/viruses etc that can spread in those circumstances?
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 12266176
The Vernier solution is pretty neat -

http://www.verniernetworks.com/products/

0
 
LVL 3

Expert Comment

by:happythedog
ID: 12270759
could go static assignment of ips and mac address sticky , pain in the *** but effective  , i am inclined to agree with you lrmoore
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
A look at what happened in the Verizon cloud breach.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question