Solved

CISCO SWITCHES - RESTRICTING NETWORK ACCESS VIA MAC ADDRESS (OR MAYBE IP ADDRESS)

Posted on 2008-10-03
8
592 Views
Last Modified: 2012-05-05
I have a situation where a printer technician came to one of our remote locations, plugged his laptop in, set an IP address, and then was on our network.

We do only static IP addressing in our branches so he just picked what he thought was a non-used IP address after looking at one of the other workstations.

I would like to be able to build a table of MAC-ADDRESSES or IP ADDRESSES that are allowed.  If the switch determines that the MAC or IP is not listed, no traffic can pass.

Then ultimately I would like to get notifcation of the attempt.

We have a mix of CISCO catalyst switches (29xx/35xx)
0
Comment
Question by:yostnet
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 32

Assisted Solution

by:Kamran Arshad
Kamran Arshad earned 50 total points
ID: 22632508
0
 
LVL 50

Accepted Solution

by:
Don Johnston earned 350 total points
ID: 22632970
One way to do it is with port security. Current IOS versions use "sticky learning" so that the first MAC address learned on the port once port security is enabled becomes the permanent address for that port. If another address is learned on that port, it is shutdown. An entry will also appear in the log.



interface f0/1
 switchport port-security
 switchport port-security max 1
 switchport port-security violation shutdown

Open in new window

0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 22632997
Another option is on the 3550, you can create a VACL (VLAN Access Control List). Can't do it on the 2950 though.


ip access-list extended printer-tech
 permit ip host 192.168.1.5 any
vlan access-map no-printer 10
 match ip address printer-tech
 action drop
vlan access-map no-printer 20
 action forward
vlan filter no-printer vlan-list 5

Open in new window

0
Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

 

Author Comment

by:yostnet
ID: 22634182
I like the idea of port security, but it does not meet my needs as I do not want any device to be able to access the network unless authorization is given.  IE an entry in a table.

I guess the most manual route would be to just turn down the ports that are not in use.
0
 

Author Comment

by:yostnet
ID: 22634307
But -- even the manual route does still provide a hole as anyone can unplug a printer/pc and use that port.
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 22634515
Port security isn't designed to prevent someone from connecting to an unused port. That's what the "shutdown" command is for. :-)

As for the ports that currently have something connected to them, that's where port security will do the trick... to a point. All the dedicated person has to do is to figure out the MAC of the connected device and change their own address to that.

Like they say, "locks keep the honest people honest".
0
 
LVL 12

Assisted Solution

by:Pugglewuggle
Pugglewuggle earned 100 total points
ID: 22637798
Agreed on port security.
The ideal thing to do is use the 3550 as your distribution switch for the 2900s and create VLAN access-lists.
The ideal way to secure a network includes a combination of the two - VACLs on the 3550 to filter IP addresses, and then port security on the 2900s to "filter" (more like limit) MAC addresses of connected devices.
Here is a very good article on port security that can help you understand and configure it to fit your environment:
http://articles.techrepublic.com.com/5100-10878_11-6123047.html 
Cheers! Let me know if that helps!
0
 

Author Closing Comment

by:yostnet
ID: 31502694
thanks for the insight
0

Featured Post

Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I see many questions here on Experts Exchange regarding switch port configurations and trunks. This article is meant for beginners in the subject to help to get basic knowledge about Virtual Local Area Network (VLAN (http://en.wikipedia.org/wiki/Vir…
WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question