Securing your network using MAC Addresses

Posted on 2005-04-18
Last Modified: 2010-05-18
All, this is a security/switch question so I came to this forum first

I have a problem with people just coming into our offices and plugging there laptops in without asking...:-| Im not best pleased with this but how do I remedy this?

My thoughts are to create a backbone using a layer 3 switch (we have 1 Cisco catalyst switch that we can use) and then create VLANS off of this onto our current switches (this is a seprate idea in that I want to *subnet* certain depts and remote users) ... anyway, my question is can I configure the Cisco switch to accept ONLY certain MAC addreseses? I know I have to build a list of all MAC addresses in the company, however Id rather this than take the chance of someone letting loose a virus just cos we have no *internal* security as such....

Anyone any thoughts on whether this is possible

Question by:credmood
    LVL 27

    Accepted Solution

    Yes.  You can have MAC based VLANs, but it would be a real Pain in the ... (PITA) to administer.  UNLESS you have a very small number of MAC addresses.

    The better solution to what you're looking for is to use 802.1x - port based authentication.  Check this out for more info:  Of course, this would require some investment of time and money, which perhaps you don't have (like me :))

    Since you mentioned Cisco, check this out:  
    Assigning Host-Based VLANs in Cisco Switch Products Using Cisco Secure User Registration Tool

    Dynamic virtual LAN (VLAN) membership is a convenient way to dynamically assign end stations to VLANs. Dynamic VLAN assignment is especially useful in administering large networks because you can move a connection from a port on one switch to a port on another switch in the network without reconfiguring the port. Dynamic-access ports work with a
    LVL 11

    Assisted Solution

    Cisco switches also have a port security setting which locks ports to work only with the current MAC address, intended to address situations like yours.  Unfortunately, (a) you have to update it whenever a legit MAC address is moved or changed (e.g., replaced NIC card or computer), and (b) it oesn't make MAC spoofing very hard....

    802.1x is a better way to go.

    LVL 13

    Assisted Solution

    Setting up something to keep people from being able to just waltz in the door with a laptop and plug it into the network is a good idea security wise; in your situation it’s only a stopgap measure since you say you have no internal security. A couple of months ago someone got one of our company laptops infected by turning off the antivirus to load in some new software and forgetting to turn it back on when they were done. It took all of about five minutes after they plugged it into the LAN before it started causing problems, but it did no real damage other than locking out a few dozen peoples accounts. If I hadn’t had any security it would have made a real mess out of things and infected most of the computers on the network, but it couldn’t, and only succeeded in being a minor annoyance instead. This is why you need to address the core of your problem, since a compromised computer that is permitted could reek havoc the way you have things.        

    Author Comment

    Sorry Dr-IP I was a bit flipant with my *no security* statement. I have all the standard security measures in place, virus scans on all machines that update automatically, a software update service that updates MS holes, firewalls that stop the bad people getting in, I also *usually* vet people b4 they plug in, however as we all know you cant be sure with this %100 of the time...., as everyone says its the internal *physical* side of things that has the most flaws. I was just meaning your first line *Setting up something to keep people from being able to just waltz in the door with a laptop and plug it into the network is a good idea security wise* ...

    The remote users are always a problem, however I need to a) turn spilt tunneling off and b) set up the cisco vpn client to *kick in* as soon as a connection to the internet is instigated....a problem that Im aware of and need to get round to doing....but as pseudocyber says time and money are not usually on our side ;o)

    I'll check out all above, thanks for all your help

    Author Comment

    All, I will be assigning points to you on this, Im just leaving it open until i get my catalyst switch (this coming week) in which im going to test some points from above

    Author Comment

    The switch that I got was'nt up to the task, so Im going to have to bet some money from somewhere and buy a decent one....

    Thnaks for all your pointers, I will be using them

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Do You Know the 4 Main Threat Actor Types?

    Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

    Suggested Solutions

    Title # Comments Views Activity
    Loop Guard and UDLD 10 49
    BGP cluster ID 1 42
    Wireless WAP School 4 41
    Transfer IOS from server to router via tftp 3 5
    In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is availab…
    There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    8 Experts available now in Live!

    Get 1:1 Help Now