Showing results for 
Search instead for 
Did you mean: 

VLANs and Security - Concept question

Level 1
Level 1

My organization has several 2948 and 3550 series cisco switches with the standard IOS.

I've been tasked with identifying a means of locking our network down so that only authorized NICs can get on the network.

I've been told that TACSAS+ or VLANs can help me do this. I've also been told we can setup a radius server.

What i need to do is ensure that if a vendor/contractor comes in and plugs into an RJ-45 jack that he can't access our network.

One gentleman i spoke with talked about setting up a 'guest' vlan. that when the switch detects an unauthorized mac address that it drops it into the guest vlan. so even if someone achieves unauthorized physical connectivity, our switches are programmed to put them into a harmless VLAN.

i guess from a novice stand point, what do companies do to manage this? I would hate to have to program MAC address tables manually across all of our cisco switches. seems like it'd be an administrative headache.

what do you guys recommend? if YOUR boss came up to you and said that we need to ensure no unauthorized computesr should be allowed to plug into our network, how would you handle that.

last, We are a mom and pop. We are not GTE, GE, Bank of America or some multi billion dollar firm with deep pockets. we have to find a way to hit his challenge for the lEAST amount of investment.

I imagine that, were this type of system available, i'd go into some utility and add a mac address and assign it to a vlan and it propogates out to access points, switches, etc.

4 Replies 4

Level 1
Level 1

Hi, I think 802.1x is what you are talking about, please see this to know how to configure it:


Level 1
Level 1

I know of a few ways to accomplish your goal. Each of course has it short comings as well as good points. Here they are:

1. Port Security

Pros: Can restrict ports so that any number of MAC addresses will be able to connect. You just specify the number. If you leave the default of 1 MAC per port then that would accomplish your goal.

Cons: Each time a device moves from 1 switchport to the next you must reconfigure the switchport by clearing the MAC it had learned previously. This method will NOT keep someone from plugging into a port that has never learned a MAC address. Port Security requires some work up front to configure the switchports but will keep someone from unplugging a device and plugging their machine in.

2. Dynamic VLAN's

Pros: Allows you to move a pc anywhere you would like without reconfiguring a single switchport.

Cons: Must have a switch capable of performing the duties of the VMPS server (4006 and up if my memory servers me well). Must build redundancy into both having multiple VMPS servers and FTP servers for the config files which house the VLAN to MAC address pairings. This method is not the most preferred.

3. Dummy VLAN

Pros: This method requires creating a vlan but NOT creating the Layer 3 interface to route packets. The goal is to trap the user into a layer 2 vlan that gets them nowhere. Place all ports that have nothing currently plugged into them into the vlan you create.

Cons: Requires you stay on top of any additions or moves of equipment because you will need to change the switch port to reflect the addition or deletion.

This is in my opinion the most sound solution for you. It does require ensuring any IT staff understands that all unused ports will be place in the layer 2 vlan and if they move a pc or add a new pc they will need to contact the folks that maintain the switching infrastructure to make the appropriate changes.

4. You can also look into 802.1x. I know this requires a Radius server and a client which will need to be installed on each machine. I don't have any experience with this method. The premise is simply that every user is required to provide credentials(Radius server) prior to even being offered a DHCP lease.



Guys! Thank you!

Brian, your idea about using #3 DUMMY Vlan might be a good idea. i wonder if this is like the guy i was talking to early about setting up a GUEST vlan. same concept i think.

Maybe this wouldn't be too much of a hassle other than the fact that none of our patch panel ports are labelled. so we'd have to make sure we know which switch and port a particular machine is plugged into as well as that machine's MAC address.

i wish there was a utility where you could put a mac address in and have the software tell you what switch and port it was actively plugged into.

is there anything like that around?

Since you have 3550's you should be able to use the following command to obtain the port a certain MAC address was learned on:

switch1#trace mac mac-address-machine-1 mac-address-machine-2

Where mac-address-machine-1 and mac-address-machine-2 are in the form of xxxx.xxxx.xxxx ( ie... 0010.0e21.49cf)

The MAC addresses will need to be in the same VLAN. You can determine this by performing a show arp on your layer 3 device or a show mac addr dyn on the switch. The output of the command will show you the switch and port the MAC addresses can be found on.

As for the dummy or guest VLAN, we use vlan 99. Any port that doesn't have anything plugged into it we configure for static membership into vlan99. To determine if a port is currently in use you can use the following command:

switch1#show int status | incl notconnect

The output of the command will reveal only those ports that don't detect a host on the other end. Most current windows machines will show connected even if the machine is powered off at the time you issue the command. Printers on the other hand normally do not.

We then have the hardware technicians or whomever is going to patch the machine in call us from the closet where we then configure the port for the appropriate vlan and if it is a pc being moved be vlan99 the old port.