Solved

CISCO SWITCHES - RESTRICTING NETWORK ACCESS VIA MAC ADDRESS (OR MAYBE IP ADDRESS)

Posted on 2008-10-03
8
590 Views
Last Modified: 2012-05-05
I have a situation where a printer technician came to one of our remote locations, plugged his laptop in, set an IP address, and then was on our network.

We do only static IP addressing in our branches so he just picked what he thought was a non-used IP address after looking at one of the other workstations.

I would like to be able to build a table of MAC-ADDRESSES or IP ADDRESSES that are allowed.  If the switch determines that the MAC or IP is not listed, no traffic can pass.

Then ultimately I would like to get notifcation of the attempt.

We have a mix of CISCO catalyst switches (29xx/35xx)
0
Comment
Question by:yostnet
8 Comments
 
LVL 32

Assisted Solution

by:Kamran Arshad
Kamran Arshad earned 50 total points
ID: 22632508
0
 
LVL 50

Accepted Solution

by:
Don Johnston earned 350 total points
ID: 22632970
One way to do it is with port security. Current IOS versions use "sticky learning" so that the first MAC address learned on the port once port security is enabled becomes the permanent address for that port. If another address is learned on that port, it is shutdown. An entry will also appear in the log.



interface f0/1
 switchport port-security
 switchport port-security max 1
 switchport port-security violation shutdown

Open in new window

0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 22632997
Another option is on the 3550, you can create a VACL (VLAN Access Control List). Can't do it on the 2950 though.


ip access-list extended printer-tech
 permit ip host 192.168.1.5 any
vlan access-map no-printer 10
 match ip address printer-tech
 action drop
vlan access-map no-printer 20
 action forward
vlan filter no-printer vlan-list 5

Open in new window

0
Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

 

Author Comment

by:yostnet
ID: 22634182
I like the idea of port security, but it does not meet my needs as I do not want any device to be able to access the network unless authorization is given.  IE an entry in a table.

I guess the most manual route would be to just turn down the ports that are not in use.
0
 

Author Comment

by:yostnet
ID: 22634307
But -- even the manual route does still provide a hole as anyone can unplug a printer/pc and use that port.
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 22634515
Port security isn't designed to prevent someone from connecting to an unused port. That's what the "shutdown" command is for. :-)

As for the ports that currently have something connected to them, that's where port security will do the trick... to a point. All the dedicated person has to do is to figure out the MAC of the connected device and change their own address to that.

Like they say, "locks keep the honest people honest".
0
 
LVL 12

Assisted Solution

by:Pugglewuggle
Pugglewuggle earned 100 total points
ID: 22637798
Agreed on port security.
The ideal thing to do is use the 3550 as your distribution switch for the 2900s and create VLAN access-lists.
The ideal way to secure a network includes a combination of the two - VACLs on the 3550 to filter IP addresses, and then port security on the 2900s to "filter" (more like limit) MAC addresses of connected devices.
Here is a very good article on port security that can help you understand and configure it to fit your environment:
http://articles.techrepublic.com.com/5100-10878_11-6123047.html 
Cheers! Let me know if that helps!
0
 

Author Closing Comment

by:yostnet
ID: 31502694
thanks for the insight
0

Featured Post

Building an interactive eFuture classroom

Watch and learn how ATEN provided a total control system solution including seamless switching matrix switch, HDBaseT extenders, PDU, lighting control to build an interactive eFuture classroom.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Direct Access 2012R2 Two Network Card Configuration Behind TMG 2010 3 81
Cisco 1830 AP behaving wierdly 7 98
CISCO Smartnet agreement 5 65
VLAN Question 13 60
The worst thing when starting a new job is when the previous Network Administrator left behind no documentation. How do you get into the devices? If you've been in this situation or just accidently mistyped your password, this article will hopefully…
I see many questions here on Experts Exchange regarding switch port configurations and trunks. This article is meant for beginners in the subject to help to get basic knowledge about Virtual Local Area Network (VLAN (http://en.wikipedia.org/wiki/Vir…
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

679 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question