Best way of denying access to a VLAN port based on MAC address on Catalyst 4500

captkloss · ‎08-10-2017

Hello,

We have couple of catalyst 4500 chassis - all publicly (as in "office space") accessible ports are limited to a specific VLAN. We would like to deny "access" to all devices outside of a list of approved MAC addresses. What would be most efficient / "best practice" way of achieving this goal?

Hardware we use: WS-C4510R+E running 03.04.02.SG

Thanks!

Rob Cluett · ‎08-10-2017

Dynamic ARP Inspection should accomplish what you're looking to do. Here's a chapter from Cisco Press that acts as good overview:

http://www.ciscopress.com/articles/article.asp?p=1181682&seqNum=8

captkloss · ‎08-10-2017

Correct me if i'm wrong, but from what i see DAI would not prevent someone from bringing a private laptop, plugging it into an available port in the office space and being able to browse the network.

Thanks!

Rob Cluett · ‎08-10-2017

If you are looking to lock down ports to their respective hosts mac address you can use port-security. What you'll be doing is assigning the MAC address of a host to the port that it's connected to. All other ports should be set into a shutdown state preventing an attacker from connecting to any port that doesn't have a host connected. See below:

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-4SY/config_guide/sup6T/15_3_sy_swcg_6T/port_security.html?dtid=osscdc000283

The above port-security command will shutdown the interface if any host is attached that does not have fa16.3e23.8161 as it's MAC address.