Improve company productivity with a Business Account.Sign Up

x
?
Solved

CISCO SWITCHES - RESTRICTING NETWORK ACCESS VIA MAC ADDRESS (OR MAYBE IP ADDRESS)

Posted on 2008-10-03
8
Medium Priority
?
596 Views
Last Modified: 2012-05-05
I have a situation where a printer technician came to one of our remote locations, plugged his laptop in, set an IP address, and then was on our network.

We do only static IP addressing in our branches so he just picked what he thought was a non-used IP address after looking at one of the other workstations.

I would like to be able to build a table of MAC-ADDRESSES or IP ADDRESSES that are allowed.  If the switch determines that the MAC or IP is not listed, no traffic can pass.

Then ultimately I would like to get notifcation of the attempt.

We have a mix of CISCO catalyst switches (29xx/35xx)
0
Comment
Question by:yostnet
8 Comments
 
LVL 32

Assisted Solution

by:Kamran Arshad
Kamran Arshad earned 200 total points
ID: 22632508
0
 
LVL 50

Accepted Solution

by:
Don Johnston earned 1400 total points
ID: 22632970
One way to do it is with port security. Current IOS versions use "sticky learning" so that the first MAC address learned on the port once port security is enabled becomes the permanent address for that port. If another address is learned on that port, it is shutdown. An entry will also appear in the log.



interface f0/1
 switchport port-security
 switchport port-security max 1
 switchport port-security violation shutdown

Open in new window

0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 22632997
Another option is on the 3550, you can create a VACL (VLAN Access Control List). Can't do it on the 2950 though.


ip access-list extended printer-tech
 permit ip host 192.168.1.5 any
vlan access-map no-printer 10
 match ip address printer-tech
 action drop
vlan access-map no-printer 20
 action forward
vlan filter no-printer vlan-list 5

Open in new window

0
The 14th Annual Expert Award Winners

The results are in! Meet the top members of our 2017 Expert Awards. Congratulations to all who qualified!

 

Author Comment

by:yostnet
ID: 22634182
I like the idea of port security, but it does not meet my needs as I do not want any device to be able to access the network unless authorization is given.  IE an entry in a table.

I guess the most manual route would be to just turn down the ports that are not in use.
0
 

Author Comment

by:yostnet
ID: 22634307
But -- even the manual route does still provide a hole as anyone can unplug a printer/pc and use that port.
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 22634515
Port security isn't designed to prevent someone from connecting to an unused port. That's what the "shutdown" command is for. :-)

As for the ports that currently have something connected to them, that's where port security will do the trick... to a point. All the dedicated person has to do is to figure out the MAC of the connected device and change their own address to that.

Like they say, "locks keep the honest people honest".
0
 
LVL 12

Assisted Solution

by:Pugglewuggle
Pugglewuggle earned 400 total points
ID: 22637798
Agreed on port security.
The ideal thing to do is use the 3550 as your distribution switch for the 2900s and create VLAN access-lists.
The ideal way to secure a network includes a combination of the two - VACLs on the 3550 to filter IP addresses, and then port security on the 2900s to "filter" (more like limit) MAC addresses of connected devices.
Here is a very good article on port security that can help you understand and configure it to fit your environment:
http://articles.techrepublic.com.com/5100-10878_11-6123047.html 
Cheers! Let me know if that helps!
0
 

Author Closing Comment

by:yostnet
ID: 31502694
thanks for the insight
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

The worst thing when starting a new job is when the previous Network Administrator left behind no documentation. How do you get into the devices? If you've been in this situation or just accidently mistyped your password, this article will hopefully…
In this article, the configuration steps in Zabbix to monitor devices via SNMP will be discussed with some real examples on Cisco Router/Switch, Catalyst Switch, NAS Synology device.
In response to a need for security and privacy, and to continue fostering an environment members can turn to for support, solutions, and education, Experts Exchange has created anonymous question capabilities. This new feature is available to our Pr…
From store locators to asset tracking and route optimization, learn how leading companies are using Google Maps APIs throughout the customer journey to increase checkout conversions, boost user engagement, and optimize order fulfillment. Powered …

589 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question