09-01-2010 07:25 AM - edited 03-11-2019 11:33 AM
We have a star topology using eigrp and vrf's. We recently added a new site to our network. However what makes this site different from the rest of our sites is that its making use of another companies facilities and comcast connection The spare comcast connection terminate at all their buildings as well as our building. Its only a handful of users. The few users will use this comcast connection to access resources on our network off the 6509. please see diagram. They have connectivity but as of now no security on this connection. If someone from that company would plug computers in on that connection at any building where it terminates and use the same line those users are using they would gain access to our resources and network. What would you recommend for us to do to secure the connection and users. any suggestions would be great.
users ==> our switch ===> other company panel ===> comcast 311 box ===> cloud ====> comcast 311 box === 6509 === network resources
we do have a asa 5520 that protect our network and have rules in place for the other company. they have access to certain resources.
09-01-2010 03:13 PM
What you need is NAC. NAC can allows and authenticate hosts and give them network access only if they have predefined criteria (MACs, Service PACKs, OSes, Antivirus).
You could also hardcode the MACs that you expect to be plugged in on the switch and enable port security, so other computers plugged in will not be allowed and the port will go error disabled.
I hope it helps,
PK
PS: The AAA forum can also help with suggestions on this.
09-02-2010 05:02 AM
Actually the few users is the only folks that will have access to our switch. Im not concern about the switch I am concern about the
connection on the comcast box. Say connection 1 that terminate in the building where the users are also terminate in several other buildings which my building is one of them. If anyone from the other company plugs something into the comcast connection 1 they will gain access to our resources. How will NAC work on the comcast box?
09-02-2010 09:54 AM
So, is the question that you want to apply access control on the comcast device?
I am not sure how you would do that or what the device supports. Is it a Cisco device? What does it do exactly? Id it your ISP gateway? The 6509 could provide access control also. If comcast is your gateway, maybe ACLs on it will allow access to what you want.
I hope it helps,
PK
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide