Solved

CISCO SWITCHES - RESTRICTING NETWORK ACCESS VIA MAC ADDRESS (OR MAYBE IP ADDRESS)

Posted on 2008-10-03
8
588 Views
Last Modified: 2012-05-05
I have a situation where a printer technician came to one of our remote locations, plugged his laptop in, set an IP address, and then was on our network.

We do only static IP addressing in our branches so he just picked what he thought was a non-used IP address after looking at one of the other workstations.

I would like to be able to build a table of MAC-ADDRESSES or IP ADDRESSES that are allowed.  If the switch determines that the MAC or IP is not listed, no traffic can pass.

Then ultimately I would like to get notifcation of the attempt.

We have a mix of CISCO catalyst switches (29xx/35xx)
0
Comment
Question by:yostnet
8 Comments
 
LVL 32

Assisted Solution

by:Kamran Arshad
Kamran Arshad earned 50 total points
ID: 22632508
0
 
LVL 50

Accepted Solution

by:
Don Johnston earned 350 total points
ID: 22632970
One way to do it is with port security. Current IOS versions use "sticky learning" so that the first MAC address learned on the port once port security is enabled becomes the permanent address for that port. If another address is learned on that port, it is shutdown. An entry will also appear in the log.



interface f0/1
 switchport port-security
 switchport port-security max 1
 switchport port-security violation shutdown

Open in new window

0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 22632997
Another option is on the 3550, you can create a VACL (VLAN Access Control List). Can't do it on the 2950 though.


ip access-list extended printer-tech
 permit ip host 192.168.1.5 any
vlan access-map no-printer 10
 match ip address printer-tech
 action drop
vlan access-map no-printer 20
 action forward
vlan filter no-printer vlan-list 5

Open in new window

0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:yostnet
ID: 22634182
I like the idea of port security, but it does not meet my needs as I do not want any device to be able to access the network unless authorization is given.  IE an entry in a table.

I guess the most manual route would be to just turn down the ports that are not in use.
0
 

Author Comment

by:yostnet
ID: 22634307
But -- even the manual route does still provide a hole as anyone can unplug a printer/pc and use that port.
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 22634515
Port security isn't designed to prevent someone from connecting to an unused port. That's what the "shutdown" command is for. :-)

As for the ports that currently have something connected to them, that's where port security will do the trick... to a point. All the dedicated person has to do is to figure out the MAC of the connected device and change their own address to that.

Like they say, "locks keep the honest people honest".
0
 
LVL 12

Assisted Solution

by:Pugglewuggle
Pugglewuggle earned 100 total points
ID: 22637798
Agreed on port security.
The ideal thing to do is use the 3550 as your distribution switch for the 2900s and create VLAN access-lists.
The ideal way to secure a network includes a combination of the two - VACLs on the 3550 to filter IP addresses, and then port security on the 2900s to "filter" (more like limit) MAC addresses of connected devices.
Here is a very good article on port security that can help you understand and configure it to fit your environment:
http://articles.techrepublic.com.com/5100-10878_11-6123047.html 
Cheers! Let me know if that helps!
0
 

Author Closing Comment

by:yostnet
ID: 31502694
thanks for the insight
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
upgrading flat network to VLAN 3 112
Does Ping Packet go through Trunk port 4 76
Cisco switch SVI 17 98
L2 to EIGRP slow migration? 27 113
This tutorial will go through the steps required to write a script that will back up the configuration settings of a HP-ProCurve switch. You will need to get the following things to follow this tutorial: Telnet Scripting Tool e.g. TST10.exe …
I eventually solved a perplexing problem setting up telnet for a new switch.  I installed a new Cisco WS-03560X-24P switch connected to an existing Cisco 4506 running a WS-X4013-10GE Sup II-Plus. After configuring vlans and trunking,  I could no…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question