01-27-2022 03:20 AM
Hi and thanks for reading.
I'm an IT manger/Sysadmin at a site trying to figure out how to deal with an operational problem. CCNA, but by no means an networking expert.
It's a hotel, and we have 500+ TVs running on CAT6. Due to PCI, we need port security on the lanports that TVs are plugging into (Ninja Edit: the network is segmented as well). The original "solution" was to set the ports to sticky-MAC. This sort of works, however when the the maintenance guys replace a broken TV, it locks the port because it sees a different MAC address. This creates an operational issues and guest complaints because our networking is outsourced, and the SLA for a downed port is 4 hours. This is a long time for a guest TV to be out of services....
I'd like to create a huge whitelist of all our current TVs, plus all the backups we have sitting in the storage room and use that for port security. I'm not sure if this is possible with this many devices.
Any other suggestions?
Thanks in advance..
01-27-2022 03:30 AM
Other option i can think here very good use case 802.1x authentication with MAC Address,
if the switches are cisco, then deploying this solution will help you.
the Port-authentication can be done based on OUI ( that is TV or known devices), is any uknow device, it will be redirect to Guest login page.
01-27-2022 03:53 AM
The port security violate can be
1- drop traffic send log
2- pass traffic send log
You can use second one and check if the mac address is TV or not, if not then admin can shutdown the connect.
01-27-2022 05:07 AM
The answer to the dilemma is 802.1x, however, the cost of an 802.1x deployment (switches and ISE plus someone who can knock up an operational 802.1x design) is cost prohibitive.
01-27-2022 05:23 AM
Agreed cost point of view, we are not sure what is the orginal user infrastructure here, May be user can liverage opensource here.
01-27-2022 06:14 AM
@balaji.bandi wrote:
May be user can liverage opensource here.
FreeRADIUS will work. We have used it for about 4 years but the most important thing about FreeRADIUS is finding the right person who can code it. And that is just the beginning.
Handing it over to a group of people who barely knows the inner workings of Dot1X and MAB is not going to be easy. The turnover of staff in the hotel industry is very high. Teach one person how to do MAB is going to be a nightmare.
With razor-thin profits in the hotel business, I do not think moving forward is going to be feasible at all.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide