Port Security and MAC addresses

Posted on 2009-12-28
Last Modified: 2012-05-08
I'm at a small school (300 networked devices) that is having an issue with port security.  Itisn't setup on the network here but they have a WAN connection to a state-wide consortium that does video conferencing with Polycom units.  That group does use port security and when we try to connect our Polycom to the main network and then out to them it is getting blocked because of the flood of MAC addresses coming off of our main network.  If I shut off all computers on the network, reboot the WAN switch, then it works because there are only a few MAC addresses.  Once the rest of the network is back up though it gets blocked again.  How can I stop them from seeing all of our network MAC addresses?  We have Dell PowerConnect Gigabit 2748 switches in each closet and each closet is connected with fiber.  We are on one VLAN, Server 2003 Std, all Windows XP/Vista/7.  Wiscnet is our Internet provider and they supply and manage the router/firewall.  Our solution for the time being is to have it connected to it's own switch off of the network and it stays in one room, but it would be nice to be able to move it anywhere in the building and have it connect.
Question by:DDassow01
    LVL 20

    Expert Comment

    by:Jakob Digranes
    i would expand VLAN strategy to more than one VLAN.
    With limited knowledge of your network, here's a suggestion:

    * VLAN 1 (??) Default, the one you have already
    * VLAN 10 - new VLAN for students
    * VLAN 20 - new VLAN for teachers (?)
    * VLAN 30 - new VLAN for videoconferencing
    - This would reduce your broadcast domain, but if ports where assigned to VLAN statically, you're back where you started with being locked to one location. Unless you assign one port on each switch.

    What you could do, a bit more advanced is to deploy 802.1x strategy with IAS/Radius where VLAN assignment is dynamic based on computers group membership, defined in AD/IAS

    Author Comment

    I could do one or two ports at each closet to be set to a video conferencing VLAN.  I have never setup VLAN's before.  Do I setup the new VLAN on each switch? and router?
    LVL 20

    Expert Comment

    by:Jakob Digranes
    you create them both places.
    On switch you log on and set it to managed switch.
    Create the VLANs somehwere in the switch, then you assign ports to each VLAN.
    Remember, the uplink port must be what is called a TRUNK port, i.e. that port has to allow ALL VLANS.

    then you would have to create the same VLANS on the router/firewall an assign IP-address to the VLAN interface.

    But it was true that you had no control over router?

    What kind of connection do you have to the other videoconferencing site? VPN dial-up or VPN Site-to-SIte og IP-VPN from ISP?

    There could perhaps be a way not to address MACs to other switch as well .. ?
    LVL 20

    Accepted Solution

    VLAN on switch:

    go to menu VLAN COnfiguration and create VLANs adn configure PORT membership

    heres the manual:
    will try to look up if there's a way to not advertise all MAC to other network

    Author Comment

    I won't need the two networks to talk to each other.  The video conferencing site is through a T1.  They just give us a specific port on their switch and that is where we plug the Polycom unit into.  I think that as long as the two VLAN's don't broadcast MAC addresses to each otheer then this shoudl work.  I will give it a try later this week.

    Featured Post

    Find Ransomware Secrets With All-Source Analysis

    Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

    Join & Write a Comment

    Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
    This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

    755 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    25 Experts available now in Live!

    Get 1:1 Help Now