We help IT Professionals succeed at work.

securing ip address via mac address in a large domain

Hello expert,

I have  Fully routed network consist of 10 branch (10 subnets) .

The general equipment on each subnet are as follows:

(1)      ibm server configure as d.c and also a file server.

(2)      ibm server configure as sql server for database purpose

(3)      A cisco router

(4)      A mix of cisco 3500 and 2900. depending on the size of the Branch.

As part of our security policy I would like to secure my network outlets,

So as to prevent anyone just plugging in a network device and obtaining a

Ip address.

What I think is to store a database of mac address for all my network devices

And use some software to check the database of mac address first before

Issuing a ip address to the connecting device.

I would be grateful if any expert can provide assistance.


Watch Question

If you had this database of all your existing MACs you could just setup DHCP reservations on your DHCP server for each MAC, and have no other IP's available in the DHCP pool. That way if a PC plugs in that doesnt have a DHCP reservation it cant get a DHCP IP because there's none available. This will require some work to configure, but will solve your problem, and be secure. If you need more explanation just let me know.


hello stuknhawaii,

I do not want to go in that direction , yes i have  printers, all workstations that
require internet access and few other resources using dhcp reservations but
generally i would like to maintain a environment where client obtain ip address  
on a lease basis.

the solution i am interested is  something from the switch perspective.
I know you can secure connections to the switch via mac address.
And implementing a type of radius server to monitor and control the connection
allowing only  bona fide users on the

The above may be far-fetch no harm in me asking experts for a feasible solution.

You can use port security on the switches to allow only the MAC of one user to connect to that switchport. If someone else plugs in it will disable the switchport. Here's a good article on it with directions to configure:
For actual user authentication before being allowed on the network Cisco makes a solution called Cisco NAC (Clean Access). This actually runs on two servers, when a user plugs in they are put in a quarantined VLAN and then must authenticate before they are moved into the network VLAN's. NAC can also check for AntiVirus updates and Windows updates on the client trying to join the network and force them to update before being allowed into the network. It's very robust, but not cheap!

Explore More ContentExplore courses, solutions, and other research materials related to this topic.