Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

CISCO SWITCHES - RESTRICTING NETWORK ACCESS VIA MAC ADDRESS (OR MAYBE IP ADDRESS)

Posted on 2008-10-03
8
Medium Priority
?
595 Views
Last Modified: 2012-05-05
I have a situation where a printer technician came to one of our remote locations, plugged his laptop in, set an IP address, and then was on our network.

We do only static IP addressing in our branches so he just picked what he thought was a non-used IP address after looking at one of the other workstations.

I would like to be able to build a table of MAC-ADDRESSES or IP ADDRESSES that are allowed.  If the switch determines that the MAC or IP is not listed, no traffic can pass.

Then ultimately I would like to get notifcation of the attempt.

We have a mix of CISCO catalyst switches (29xx/35xx)
0
Comment
Question by:yostnet
8 Comments
 
LVL 32

Assisted Solution

by:Kamran Arshad
Kamran Arshad earned 200 total points
ID: 22632508
0
 
LVL 50

Accepted Solution

by:
Don Johnston earned 1400 total points
ID: 22632970
One way to do it is with port security. Current IOS versions use "sticky learning" so that the first MAC address learned on the port once port security is enabled becomes the permanent address for that port. If another address is learned on that port, it is shutdown. An entry will also appear in the log.



interface f0/1
 switchport port-security
 switchport port-security max 1
 switchport port-security violation shutdown

Open in new window

0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 22632997
Another option is on the 3550, you can create a VACL (VLAN Access Control List). Can't do it on the 2950 though.


ip access-list extended printer-tech
 permit ip host 192.168.1.5 any
vlan access-map no-printer 10
 match ip address printer-tech
 action drop
vlan access-map no-printer 20
 action forward
vlan filter no-printer vlan-list 5

Open in new window

0
Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

 

Author Comment

by:yostnet
ID: 22634182
I like the idea of port security, but it does not meet my needs as I do not want any device to be able to access the network unless authorization is given.  IE an entry in a table.

I guess the most manual route would be to just turn down the ports that are not in use.
0
 

Author Comment

by:yostnet
ID: 22634307
But -- even the manual route does still provide a hole as anyone can unplug a printer/pc and use that port.
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 22634515
Port security isn't designed to prevent someone from connecting to an unused port. That's what the "shutdown" command is for. :-)

As for the ports that currently have something connected to them, that's where port security will do the trick... to a point. All the dedicated person has to do is to figure out the MAC of the connected device and change their own address to that.

Like they say, "locks keep the honest people honest".
0
 
LVL 12

Assisted Solution

by:Pugglewuggle
Pugglewuggle earned 400 total points
ID: 22637798
Agreed on port security.
The ideal thing to do is use the 3550 as your distribution switch for the 2900s and create VLAN access-lists.
The ideal way to secure a network includes a combination of the two - VACLs on the 3550 to filter IP addresses, and then port security on the 2900s to "filter" (more like limit) MAC addresses of connected devices.
Here is a very good article on port security that can help you understand and configure it to fit your environment:
http://articles.techrepublic.com.com/5100-10878_11-6123047.html 
Cheers! Let me know if that helps!
0
 

Author Closing Comment

by:yostnet
ID: 31502694
thanks for the insight
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The worst thing when starting a new job is when the previous Network Administrator left behind no documentation. How do you get into the devices? If you've been in this situation or just accidently mistyped your password, this article will hopefully…
WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…
Please read the paragraph below before following the instructions in the video — there are important caveats in the paragraph that I did not mention in the video. If your PaperPort 12 or PaperPort 14 is failing to start, or crashing, or hanging, …
Suggested Courses

886 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question