This suggestion's feasibility will really depend on the size of the network (how many hosts), but one "no capital expenditure" option is to stop using dynamic DHCP assignments. With static assignments and no dynamic pools for new hosts to obtain IP addresses from, new devices plugged into the network won't be able to route to the central hub (and on to the Internet).

Another option that may be no-cost would be to enable mac-address limiting on the switches at the spoke offices and to disable ports that you know don't have devices connected. For example, on a Cat3500XL you could use "port security max-mac-count 1" and "port security action shutdown" at the interface level. (I'm not sure if you can do this on a 802.1q trunk, so if you've got IP phones, this may not be possible.) This would also have the side-effect of cutting off network access for people that move their own computers to different offices. (That could be good or bad, depending on your viewpoint I guess.)

Angel-moon,

I had a chance to read to other two replies before crafting my repsonse to make sure I wasn't telling you something you have already heard about.. There was a couple of things thrown out and I would like to explain a little about each of them..

CCA - Cisco Clean Access. While yes it does provide a way to stop users from accessing your network it's main function is to asses the "Health" of the computer before it grants access to the network. You might be able to configure it such a way to prevent access to your network but I feel it might entail an overly complex configuration. (I am in the process of building up CCA in my lab so do not that much about it's true capabilities just what I have read)

Static IP Addressing instead of DHCP. This might work, but only if the users who are connecting into the network have no idea what addressing you are using. If they find out, then they can start "trying" different addresses until they find one that works. Not a very good solution really.

port security max-mac-count 1 - Ok now we are getting somewhere, but this is not the right direction either. What happens if you are using VoIP, now there will be at least 2 mac addresses coming down that pipe..

What we really want to look at is IBNS - Idenity Based Network Security. This will use 802.1x to Authenticate the user before allowing the port to go active. If that user has a valid account in the windows Active Directory then the user will be allowed to gain access to the network. If that user does not, then just like the (port security max-mac-count) command the port will be put in a "shutdown" state. You will need to re-enable that port manually. So even with this solution there are pros and cons.

Remember now IBNS and NAC are highly dependent on having Cisco throughout the network, not just at the router level.

One more thing I thought of: you might be able to use dynamic port VLAN membersip with VMPS to block unauthorized MAC addresses. This solution assumes a lot however:

- Won't work with IP Phones (trunking)

- Assumes Cisco switches everywhere

- Assumes you have a box capable of being the VMPS server

- Bad things will probably happen if the VMPS server goes away

On the plus side:

+ You can config a backup VMPS

+ The MAC-to-VLAN mappings can be on a TFTP server so both VMPS' share them

+ If you do not use "secure mode" then ports do not get turned off when a bad MAC is seen (bad MACs are blocked, good ones are passed), so no manual resetting of disabled ports

I'm not sure if it's a valid config to have the VMPS server across a WAN link or not; it may be a requirement to have a VMPS (and backup) at each site.

Hi

there several solution for your problem, but i suggest the easiest one which is as following:

configure each cisco switch at each site in a way that all existing computers that have access to the internet will be plugged to specific port and shut down all remaining ports so in that way if any one come to get access and plugged his PC to an empty port it wont have access unless he unplugged one of the existing ones and out his PC instead

and for more robust one you have to get mac addresses to all existing PCs add them to the switch

so in this way whom ever plug his PC in whatever port he will not get access

tks