Control LAN Access via MAC Address

We would like to control what devices have access to our network by MAC address.  We use this functionality in our wireless system, but would like to have the same level of control for cable connected devices as well.  Is there a way to maintain a list of MACs at the switch level?  We use Dell 35xx series switches.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Get a hold of the users PDF manual for your switch and search for ACL .

The should be documentation to filter connectivity based on MAC address using the GUI  or CLI.
TimotiStDatacenter TechnicianCommented:
Quick howto for port-security on the 3000 series:
Costas GeorgiouNetwork AdministratorCommented:
In my view it will be even better to do this on the DHCP server if that is in your scope of work.
Your Guide to Achieving IT Business Success

The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.

slattdogAuthor Commented:
Sabi:  How would you implement this at the DHCP server?  That would just keep them from being assigned an IP, but not from actually accessing the network if have any valid address for the subnet.  

TimotiSt: Thanks, but I'm not familiar with the CLI, so I'd be doing the config in the GUI.

pgm554:  I see the screenshot you attached, but I don't understand all the options.

I was envisioning a way to just manage a list of MACs that the switch would allow, similar to how it is done on the wireless controller.  Perhaps I am barking up the wrong tree here?  Would I have to assign a specific MAC to each port on the switch?
TimotiStDatacenter TechnicianCommented:
You can follow the words of the CLI version, look for the corresponding GUI option.
The main difference from a wireless controller is that on wired the MAC addresses permitted are usually tied to a port, as a port will have be allocated to some vlan, and you might not want a user to plug his permitted PC to a different port, access possibly a different network.
Also gives you the option to limit to 1-2-3 MACs per port, depending on setup (PC only, PC+IPphone, etc), so if somebody brings in an AP/switch, you catch it.
Costas GeorgiouNetwork AdministratorCommented:
Which DHCP server are you using ? Windows Server? and which version 2008 etc?
slattdogAuthor Commented:
TimotiSt:  OK.  So I would need to assign a specific MAC to each port on that switch correct?  I am not familiar with the CLI.  Is there a way I could maintain a script or TXT file and then just run it whenever I need to update the config on the switch?

Sabi:  Windows Server 2012-R2
TimotiStDatacenter TechnicianCommented:
Most switches support either just maximizing the number of allowed MACs on a port, and/or allow you to config exact MAC addresses on a port.

You could configure one on the GUI, download the config file, and check how the CLI command line for it looks. That could be used as a sample to copy-paste in a text file, which you could apply on the CLI.
Costas GeorgiouNetwork AdministratorCommented:

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
slattdogAuthor Commented:
TimotiSt, Sabi:  

Thank you both for the help.  While TimotiSt's answer is more to the point of the question, Sabi's "recommendation" certainly has merit.  And, in fact, sounds much easier to manage.  For our environment (and I would imagine many others) the DHCP filtering is probably more practical.

Of course the DHCP filtering wouldn't keep someone from manually setting their IP address -- which the switch based solution would still prevent -- unless I'm missing something?  Is there a way to apply the Server based filtering to DNS, for example, to further block rouge connections?
If you're talking about requiring authentication to access the network, you're going to start running into discussions on 802.1x and/or RADIUS.

Since you have Server 2012, you could look at Network Policy and Access Services. Not a short 2 minute discussion, but it is certainly something you could look at as well.
slattdogAuthor Commented:
I don't really want "authentication".  I just want a way to prevent any device that has not been pre-approved from being placed on the network.  I'm thinking that maintaining a list of authorized MACs as the way to accomplish this, but I'm certainly open to suggestions; both in how to do that, or if I should be attacking it differently all together.  :-)
TimotiStDatacenter TechnicianCommented:
Depending on your environment, I'd go with your previous comment: if you don't expect any power users and there's only wired access to that network, just go with MAC filtering for DHCP. It's kept in a central location, happy days. Do keep an eye on things in general, if you become suspicious, implement heavier protection.
Also depends on the risk: what happens, if someone does get on your network? Do they get NSA secrets, or they can just try to bruteforce a server, which you'll notice from the logs?
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Switches / Hubs

From novice to tech pro — start learning today.