Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
711
Views
0
Helpful
5
Replies

Cisco - Port security for 500+ Devices?

ukerekais
Level 1
Level 1

‎01-27-2022 03:20 AM

Hi and thanks for reading.

I'm an IT manger/Sysadmin at a site trying to figure out how to deal with an operational problem. CCNA, but by no means an networking expert.

It's a hotel, and we have 500+ TVs running on CAT6. Due to PCI, we need port security on the lanports that TVs are plugging into (Ninja Edit: the network is segmented as well). The original "solution" was to set the ports to sticky-MAC. This sort of works, however when the the maintenance guys replace a broken TV, it locks the port because it sees a different MAC address. This creates an operational issues and guest complaints because our networking is outsourced, and the SLA for a downed port is 4 hours. This is a long time for a guest TV to be out of services....

I'd like to create a huge whitelist of all our current TVs, plus all the backups we have sitting in the storage room and use that for port security. I'm not sure if this is possible with this many devices.

Any other suggestions?

Thanks in advance..

router login
Labels:
0 Helpful
5 Replies 5

balaji.bandi
Hall of Fame
Hall of Fame

‎01-27-2022 03:30 AM

Other option i can think here very good use case 802.1x authentication with MAC Address,

if the switches are cisco, then deploying this solution will help you.

 

the Port-authentication can be done based on OUI ( that is TV or known devices), is any uknow device, it will be redirect to Guest login page.

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

MHM Cisco World
VIP
VIP

‎01-27-2022 03:53 AM

The port security violate can be 

1- drop traffic send log

2- pass traffic send log 

You can use second one and check if the mac address is TV or not, if not then admin can shutdown the connect.

0 Helpful

Leo Laohoo
Hall of Fame
Hall of Fame

‎01-27-2022 05:07 AM

The answer to the dilemma is 802.1x, however, the cost of an 802.1x deployment (switches and ISE plus someone who can knock up an operational 802.1x design) is cost prohibitive.

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to Leo Laohoo

‎01-27-2022 05:23 AM

Agreed cost point of view, we are not sure what is the orginal user infrastructure here, May be user  can liverage opensource here.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Leo Laohoo
Hall of Fame
Hall of Fame
In response to balaji.bandi

‎01-27-2022 06:14 AM

@balaji.bandi wrote:

May be user  can liverage opensource here.

FreeRADIUS will work.  We have used it for about 4 years but the most important thing about FreeRADIUS is finding the right person who can code it.  And that is just the beginning. 

Handing it over to a group of people who barely knows the inner workings of Dot1X and MAB is not going to be easy.  The turnover of staff in the hotel industry is very high.  Teach one person how to do MAB is going to be a nightmare.  

With razor-thin profits in the hotel business, I do not think moving forward is going to be feasible at all.

0 Helpful
Customers Also Viewed These Support Documents