Control LAN Access via MAC Address

Get a hold of the users PDF manual for your switch and search for ACL .

The should be documentation to filter connectivity based on MAC address using the GUI  or CLI.
dell.PNG

Quick howto for port-security on the 3000 series:
http://www.dell.com/Support/Article/us/en/19/HOW10392

In my view it will be even better to do this on the DHCP server if that is in your scope of work.

Sabi:  How would you implement this at the DHCP server?  That would just keep them from being assigned an IP, but not from actually accessing the network if have any valid address for the subnet.  

TimotiSt: Thanks, but I'm not familiar with the CLI, so I'd be doing the config in the GUI.

pgm554:  I see the screenshot you attached, but I don't understand all the options.


I was envisioning a way to just manage a list of MACs that the switch would allow, similar to how it is done on the wireless controller.  Perhaps I am barking up the wrong tree here?  Would I have to assign a specific MAC to each port on the switch?

You can follow the words of the CLI version, look for the corresponding GUI option.
The main difference from a wireless controller is that on wired the MAC addresses permitted are usually tied to a port, as a port will have be allocated to some vlan, and you might not want a user to plug his permitted PC to a different port, access possibly a different network.
Also gives you the option to limit to 1-2-3 MACs per port, depending on setup (PC only, PC+IPphone, etc), so if somebody brings in an AP/switch, you catch it.

Which DHCP server are you using ? Windows Server? and which version 2008 etc?

TimotiSt:  OK.  So I would need to assign a specific MAC to each port on that switch correct?  I am not familiar with the CLI.  Is there a way I could maintain a script or TXT file and then just run it whenever I need to update the config on the switch?

Sabi:  Windows Server 2012-R2

TimotiSt, Sabi:  

Thank you both for the help.  While TimotiSt's answer is more to the point of the question, Sabi's "recommendation" certainly has merit.  And, in fact, sounds much easier to manage.  For our environment (and I would imagine many others) the DHCP filtering is probably more practical.

Of course the DHCP filtering wouldn't keep someone from manually setting their IP address -- which the switch based solution would still prevent -- unless I'm missing something?  Is there a way to apply the Server based filtering to DNS, for example, to further block rouge connections?

If you're talking about requiring authentication to access the network, you're going to start running into discussions on 802.1x and/or RADIUS.

Since you have Server 2012, you could look at Network Policy and Access Services. Not a short 2 minute discussion, but it is certainly something you could look at as well.

I don't really want "authentication".  I just want a way to prevent any device that has not been pre-approved from being placed on the network.  I'm thinking that maintaining a list of authorized MACs as the way to accomplish this, but I'm certainly open to suggestions; both in how to do that, or if I should be attacking it differently all together.  :-)

Depending on your environment, I'd go with your previous comment: if you don't expect any power users and there's only wired access to that network, just go with MAC filtering for DHCP. It's kept in a central location, happy days. Do keep an eye on things in general, if you become suspicious, implement heavier protection.
Also depends on the risk: what happens, if someone does get on your network? Do they get NSA secrets, or they can just try to bruteforce a server, which you'll notice from the logs?