jomfra
asked on
securing ip address via mac address in a large domain
Hello expert,
I have Fully routed network consist of 10 branch (10 subnets) .
The general equipment on each subnet are as follows:
(1) ibm server configure as d.c and also a file server.
(2) ibm server configure as sql server for database purpose
(3) A cisco router
(4) A mix of cisco 3500 and 2900. depending on the size of the Branch.
As part of our security policy I would like to secure my network outlets,
So as to prevent anyone just plugging in a network device and obtaining a
Ip address.
What I think is to store a database of mac address for all my network devices
And use some software to check the database of mac address first before
Issuing a ip address to the connecting device.
I would be grateful if any expert can provide assistance.
Regards
Jomo
I have Fully routed network consist of 10 branch (10 subnets) .
The general equipment on each subnet are as follows:
(1) ibm server configure as d.c and also a file server.
(2) ibm server configure as sql server for database purpose
(3) A cisco router
(4) A mix of cisco 3500 and 2900. depending on the size of the Branch.
As part of our security policy I would like to secure my network outlets,
So as to prevent anyone just plugging in a network device and obtaining a
Ip address.
What I think is to store a database of mac address for all my network devices
And use some software to check the database of mac address first before
Issuing a ip address to the connecting device.
I would be grateful if any expert can provide assistance.
Regards
Jomo
stuknhawaii
If you had this database of all your existing MACs you could just setup DHCP reservations on your DHCP server for each MAC, and have no other IP's available in the DHCP pool. That way if a PC plugs in that doesnt have a DHCP reservation it cant get a DHCP IP because there's none available. This will require some work to configure, but will solve your problem, and be secure. If you need more explanation just let me know.
ASKER
hello stuknhawaii,
I do not want to go in that direction , yes i have printers, all workstations that
require internet access and few other resources using dhcp reservations but
generally i would like to maintain a environment where client obtain ip address
on a lease basis.
the solution i am interested is something from the switch perspective.
I know you can secure connections to the switch via mac address.
And implementing a type of radius server to monitor and control the connection
allowing only bona fide users on the
network.
The above may be far-fetch no harm in me asking experts for a feasible solution.
regards
Jomo
I do not want to go in that direction , yes i have printers, all workstations that
require internet access and few other resources using dhcp reservations but
generally i would like to maintain a environment where client obtain ip address
on a lease basis.
the solution i am interested is something from the switch perspective.
I know you can secure connections to the switch via mac address.
And implementing a type of radius server to monitor and control the connection
allowing only bona fide users on the
network.
The above may be far-fetch no harm in me asking experts for a feasible solution.
regards
Jomo
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.