[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 206
  • Last Modified:

securing ip address via mac address in a large domain

Hello expert,

I have  Fully routed network consist of 10 branch (10 subnets) .

The general equipment on each subnet are as follows:

(1)      ibm server configure as d.c and also a file server.

(2)      ibm server configure as sql server for database purpose

(3)      A cisco router

(4)      A mix of cisco 3500 and 2900. depending on the size of the Branch.

As part of our security policy I would like to secure my network outlets,

So as to prevent anyone just plugging in a network device and obtaining a

Ip address.

What I think is to store a database of mac address for all my network devices

And use some software to check the database of mac address first before

Issuing a ip address to the connecting device.

I would be grateful if any expert can provide assistance.

Regards

Jomo
0
jomfra
Asked:
jomfra
  • 2
1 Solution
 
stuknhawaiiCommented:
If you had this database of all your existing MACs you could just setup DHCP reservations on your DHCP server for each MAC, and have no other IP's available in the DHCP pool. That way if a PC plugs in that doesnt have a DHCP reservation it cant get a DHCP IP because there's none available. This will require some work to configure, but will solve your problem, and be secure. If you need more explanation just let me know.
0
 
jomfraAuthor Commented:
hello stuknhawaii,

I do not want to go in that direction , yes i have  printers, all workstations that
require internet access and few other resources using dhcp reservations but
generally i would like to maintain a environment where client obtain ip address  
on a lease basis.

the solution i am interested is  something from the switch perspective.
I know you can secure connections to the switch via mac address.
And implementing a type of radius server to monitor and control the connection
allowing only  bona fide users on the
network.

The above may be far-fetch no harm in me asking experts for a feasible solution.

regards
Jomo
0
 
stuknhawaiiCommented:
You can use port security on the switches to allow only the MAC of one user to connect to that switchport. If someone else plugs in it will disable the switchport. Here's a good article on it with directions to configure:
http://articles.techrepublic.com.com/5100-1035-6123047.html
For actual user authentication before being allowed on the network Cisco makes a solution called Cisco NAC (Clean Access). This actually runs on two servers, when a user plugs in they are put in a quarantined VLAN and then must authenticate before they are moved into the network VLAN's. NAC can also check for AntiVirus updates and Windows updates on the client trying to join the network and force them to update before being allowed into the network. It's very robust, but not cheap!
0

Featured Post

The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now