Control LAN Access via MAC Address

slattdog
slattdog used Ask the Experts™
on
We would like to control what devices have access to our network by MAC address.  We use this functionality in our wireless system, but would like to have the same level of control for cable connected devices as well.  Is there a way to maintain a list of MACs at the switch level?  We use Dell 35xx series switches.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Get a hold of the users PDF manual for your switch and search for ACL .

The should be documentation to filter connectivity based on MAC address using the GUI  or CLI.
dell.PNG
TimotiStDatacenter Technician
Top Expert 2012

Commented:
Quick howto for port-security on the 3000 series:
http://www.dell.com/Support/Article/us/en/19/HOW10392
Costas GeorgiouNetwork Administrator

Commented:
In my view it will be even better to do this on the DHCP server if that is in your scope of work.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
Sabi:  How would you implement this at the DHCP server?  That would just keep them from being assigned an IP, but not from actually accessing the network if have any valid address for the subnet.  

TimotiSt: Thanks, but I'm not familiar with the CLI, so I'd be doing the config in the GUI.

pgm554:  I see the screenshot you attached, but I don't understand all the options.


I was envisioning a way to just manage a list of MACs that the switch would allow, similar to how it is done on the wireless controller.  Perhaps I am barking up the wrong tree here?  Would I have to assign a specific MAC to each port on the switch?
TimotiStDatacenter Technician
Top Expert 2012

Commented:
You can follow the words of the CLI version, look for the corresponding GUI option.
The main difference from a wireless controller is that on wired the MAC addresses permitted are usually tied to a port, as a port will have be allocated to some vlan, and you might not want a user to plug his permitted PC to a different port, access possibly a different network.
Also gives you the option to limit to 1-2-3 MACs per port, depending on setup (PC only, PC+IPphone, etc), so if somebody brings in an AP/switch, you catch it.
Costas GeorgiouNetwork Administrator

Commented:
Which DHCP server are you using ? Windows Server? and which version 2008 etc?

Author

Commented:
TimotiSt:  OK.  So I would need to assign a specific MAC to each port on that switch correct?  I am not familiar with the CLI.  Is there a way I could maintain a script or TXT file and then just run it whenever I need to update the config on the switch?

Sabi:  Windows Server 2012-R2
TimotiStDatacenter Technician
Top Expert 2012
Commented:
Most switches support either just maximizing the number of allowed MACs on a port, and/or allow you to config exact MAC addresses on a port.

You could configure one on the GUI, download the config file, and check how the CLI command line for it looks. That could be used as a sample to copy-paste in a text file, which you could apply on the CLI.
Network Administrator
Commented:

Author

Commented:
TimotiSt, Sabi:  

Thank you both for the help.  While TimotiSt's answer is more to the point of the question, Sabi's "recommendation" certainly has merit.  And, in fact, sounds much easier to manage.  For our environment (and I would imagine many others) the DHCP filtering is probably more practical.

Of course the DHCP filtering wouldn't keep someone from manually setting their IP address -- which the switch based solution would still prevent -- unless I'm missing something?  Is there a way to apply the Server based filtering to DNS, for example, to further block rouge connections?
Distinguished Expert 2018

Commented:
If you're talking about requiring authentication to access the network, you're going to start running into discussions on 802.1x and/or RADIUS.

Since you have Server 2012, you could look at Network Policy and Access Services. Not a short 2 minute discussion, but it is certainly something you could look at as well.

Author

Commented:
I don't really want "authentication".  I just want a way to prevent any device that has not been pre-approved from being placed on the network.  I'm thinking that maintaining a list of authorized MACs as the way to accomplish this, but I'm certainly open to suggestions; both in how to do that, or if I should be attacking it differently all together.  :-)
TimotiStDatacenter Technician
Top Expert 2012

Commented:
Depending on your environment, I'd go with your previous comment: if you don't expect any power users and there's only wired access to that network, just go with MAC filtering for DHCP. It's kept in a central location, happy days. Do keep an eye on things in general, if you become suspicious, implement heavier protection.
Also depends on the risk: what happens, if someone does get on your network? Do they get NSA secrets, or they can just try to bruteforce a server, which you'll notice from the logs?

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial