• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 314
  • Last Modified:

Port Security and MAC addresses

I'm at a small school (300 networked devices) that is having an issue with port security.  Itisn't setup on the network here but they have a WAN connection to a state-wide consortium that does video conferencing with Polycom units.  That group does use port security and when we try to connect our Polycom to the main network and then out to them it is getting blocked because of the flood of MAC addresses coming off of our main network.  If I shut off all computers on the network, reboot the WAN switch, then it works because there are only a few MAC addresses.  Once the rest of the network is back up though it gets blocked again.  How can I stop them from seeing all of our network MAC addresses?  We have Dell PowerConnect Gigabit 2748 switches in each closet and each closet is connected with fiber.  We are on one VLAN, Server 2003 Std, all Windows XP/Vista/7.  Wiscnet is our Internet provider and they supply and manage the router/firewall.  Our solution for the time being is to have it connected to it's own switch off of the network and it stays in one room, but it would be nice to be able to move it anywhere in the building and have it connect.
0
DDassow01
Asked:
DDassow01
  • 3
  • 2
1 Solution
 
Jakob DigranesSenior ConsultantCommented:
i would expand VLAN strategy to more than one VLAN.
With limited knowledge of your network, here's a suggestion:

* VLAN 1 (??) Default, the one you have already
* VLAN 10 - new VLAN for students
* VLAN 20 - new VLAN for teachers (?)
* VLAN 30 - new VLAN for videoconferencing
- This would reduce your broadcast domain, but if ports where assigned to VLAN statically, you're back where you started with being locked to one location. Unless you assign one port on each switch.

What you could do, a bit more advanced is to deploy 802.1x strategy with IAS/Radius where VLAN assignment is dynamic based on computers group membership, defined in AD/IAS
0
 
DDassow01Author Commented:
I could do one or two ports at each closet to be set to a video conferencing VLAN.  I have never setup VLAN's before.  Do I setup the new VLAN on each switch? and router?
0
 
Jakob DigranesSenior ConsultantCommented:
you create them both places.
On switch you log on and set it to managed switch.
Create the VLANs somehwere in the switch, then you assign ports to each VLAN.
Remember, the uplink port must be what is called a TRUNK port, i.e. that port has to allow ALL VLANS.

then you would have to create the same VLANS on the router/firewall an assign IP-address to the VLAN interface.

But it was true that you had no control over router?

What kind of connection do you have to the other videoconferencing site? VPN dial-up or VPN Site-to-SIte og IP-VPN from ISP?

There could perhaps be a way not to address MACs to other switch as well .. ?
0
 
Jakob DigranesSenior ConsultantCommented:
VLAN on switch:

go to menu VLAN COnfiguration and create VLANs adn configure PORT membership

heres the manual: http://support.euro.dell.com/support/edocs/network/PC27xx/en/index.htm
will try to look up if there's a way to not advertise all MAC to other network
0
 
DDassow01Author Commented:
I won't need the two networks to talk to each other.  The video conferencing site is through a T1.  They just give us a specific port on their switch and that is where we plug the Polycom unit into.  I think that as long as the two VLAN's don't broadcast MAC addresses to each otheer then this shoudl work.  I will give it a try later this week.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now