Control LAN Access via MAC Address
We would like to control what devices have access to our network by MAC address. We use this functionality in our wireless system, but would like to have the same level of control for cable connected devices as well. Is there a way to maintain a list of MACs at the switch level? We use Dell 35xx series switches.
Quick howto for port-security on the 3000 series:
http://www.dell.com/Support/Article/us/en/19/HOW10392
http://www.dell.com/Support/Article/us/en/19/HOW10392
In my view it will be even better to do this on the DHCP server if that is in your scope of work.
ASKER
Sabi: How would you implement this at the DHCP server? That would just keep them from being assigned an IP, but not from actually accessing the network if have any valid address for the subnet.
TimotiSt: Thanks, but I'm not familiar with the CLI, so I'd be doing the config in the GUI.
pgm554: I see the screenshot you attached, but I don't understand all the options.
I was envisioning a way to just manage a list of MACs that the switch would allow, similar to how it is done on the wireless controller. Perhaps I am barking up the wrong tree here? Would I have to assign a specific MAC to each port on the switch?
TimotiSt: Thanks, but I'm not familiar with the CLI, so I'd be doing the config in the GUI.
pgm554: I see the screenshot you attached, but I don't understand all the options.
I was envisioning a way to just manage a list of MACs that the switch would allow, similar to how it is done on the wireless controller. Perhaps I am barking up the wrong tree here? Would I have to assign a specific MAC to each port on the switch?
You can follow the words of the CLI version, look for the corresponding GUI option.
The main difference from a wireless controller is that on wired the MAC addresses permitted are usually tied to a port, as a port will have be allocated to some vlan, and you might not want a user to plug his permitted PC to a different port, access possibly a different network.
Also gives you the option to limit to 1-2-3 MACs per port, depending on setup (PC only, PC+IPphone, etc), so if somebody brings in an AP/switch, you catch it.
The main difference from a wireless controller is that on wired the MAC addresses permitted are usually tied to a port, as a port will have be allocated to some vlan, and you might not want a user to plug his permitted PC to a different port, access possibly a different network.
Also gives you the option to limit to 1-2-3 MACs per port, depending on setup (PC only, PC+IPphone, etc), so if somebody brings in an AP/switch, you catch it.
Which DHCP server are you using ? Windows Server? and which version 2008 etc?
ASKER
TimotiSt: OK. So I would need to assign a specific MAC to each port on that switch correct? I am not familiar with the CLI. Is there a way I could maintain a script or TXT file and then just run it whenever I need to update the config on the switch?
Sabi: Windows Server 2012-R2
Sabi: Windows Server 2012-R2
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
TimotiSt, Sabi:
Thank you both for the help. While TimotiSt's answer is more to the point of the question, Sabi's "recommendation" certainly has merit. And, in fact, sounds much easier to manage. For our environment (and I would imagine many others) the DHCP filtering is probably more practical.
Of course the DHCP filtering wouldn't keep someone from manually setting their IP address -- which the switch based solution would still prevent -- unless I'm missing something? Is there a way to apply the Server based filtering to DNS, for example, to further block rouge connections?
Thank you both for the help. While TimotiSt's answer is more to the point of the question, Sabi's "recommendation" certainly has merit. And, in fact, sounds much easier to manage. For our environment (and I would imagine many others) the DHCP filtering is probably more practical.
Of course the DHCP filtering wouldn't keep someone from manually setting their IP address -- which the switch based solution would still prevent -- unless I'm missing something? Is there a way to apply the Server based filtering to DNS, for example, to further block rouge connections?
If you're talking about requiring authentication to access the network, you're going to start running into discussions on 802.1x and/or RADIUS.
Since you have Server 2012, you could look at Network Policy and Access Services. Not a short 2 minute discussion, but it is certainly something you could look at as well.
Since you have Server 2012, you could look at Network Policy and Access Services. Not a short 2 minute discussion, but it is certainly something you could look at as well.
ASKER
I don't really want "authentication". I just want a way to prevent any device that has not been pre-approved from being placed on the network. I'm thinking that maintaining a list of authorized MACs as the way to accomplish this, but I'm certainly open to suggestions; both in how to do that, or if I should be attacking it differently all together. :-)
Depending on your environment, I'd go with your previous comment: if you don't expect any power users and there's only wired access to that network, just go with MAC filtering for DHCP. It's kept in a central location, happy days. Do keep an eye on things in general, if you become suspicious, implement heavier protection.
Also depends on the risk: what happens, if someone does get on your network? Do they get NSA secrets, or they can just try to bruteforce a server, which you'll notice from the logs?
Also depends on the risk: what happens, if someone does get on your network? Do they get NSA secrets, or they can just try to bruteforce a server, which you'll notice from the logs?
The should be documentation to filter connectivity based on MAC address using the GUI or CLI.
dell.PNG