securing ip address via mac address in a large domain

Hello expert,

I have  Fully routed network consist of 10 branch (10 subnets) .

The general equipment on each subnet are as follows:

(1)      ibm server configure as d.c and also a file server.

(2)      ibm server configure as sql server for database purpose

(3)      A cisco router

(4)      A mix of cisco 3500 and 2900. depending on the size of the Branch.

As part of our security policy I would like to secure my network outlets,

So as to prevent anyone just plugging in a network device and obtaining a

Ip address.

What I think is to store a database of mac address for all my network devices

And use some software to check the database of mac address first before

Issuing a ip address to the connecting device.

I would be grateful if any expert can provide assistance.


Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

If you had this database of all your existing MACs you could just setup DHCP reservations on your DHCP server for each MAC, and have no other IP's available in the DHCP pool. That way if a PC plugs in that doesnt have a DHCP reservation it cant get a DHCP IP because there's none available. This will require some work to configure, but will solve your problem, and be secure. If you need more explanation just let me know.
jomfraAuthor Commented:
hello stuknhawaii,

I do not want to go in that direction , yes i have  printers, all workstations that
require internet access and few other resources using dhcp reservations but
generally i would like to maintain a environment where client obtain ip address  
on a lease basis.

the solution i am interested is  something from the switch perspective.
I know you can secure connections to the switch via mac address.
And implementing a type of radius server to monitor and control the connection
allowing only  bona fide users on the

The above may be far-fetch no harm in me asking experts for a feasible solution.

You can use port security on the switches to allow only the MAC of one user to connect to that switchport. If someone else plugs in it will disable the switchport. Here's a good article on it with directions to configure:
For actual user authentication before being allowed on the network Cisco makes a solution called Cisco NAC (Clean Access). This actually runs on two servers, when a user plugs in they are put in a quarantined VLAN and then must authenticate before they are moved into the network VLAN's. NAC can also check for AntiVirus updates and Windows updates on the client trying to join the network and force them to update before being allowed into the network. It's very robust, but not cheap!

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Switches / Hubs

From novice to tech pro — start learning today.