cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
854
Views
0
Helpful
6
Replies

Locking up LAN

leowchongwei
Level 1
Level 1

Hi,

I'm task to "lock" my LAN. Preventing others from plugging home laptop to the LAN. What is the recommended method and must allow freedom to move about within the LAN; many are mobile users...

Regards,

Steven

6 Replies 6

thisisshanky
Level 11
Level 11

There are many ways of doing it. If your switches are 802.1x compatible, you can do port based authentication to prevent unauthorized users. You can also do what people typically call it as "Reserved DHCP". This does not sound feasible if the number of users are too high, but I have seen a lot of people doing that. Every DHCP address that you lease is bound to a particular mac-address. This prevents users from using their home laptop to the LAN. Though there is an option for the user to locally administer the mac-address of the home laptop (if any body is intelligent enough to think of that)...

The link below shows 802.1x on a catalyst 4006. The config might change depending on what switch you have.

http://www.cisco.com/en/US/products/hw/switches/ps663/products_configuration_guide_chapter09186a00801631cc.html

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus

brianj
Level 1
Level 1

You can also consider using Dynamic VLANs. You will need a cisco switch capable of acting as a VMPS server. This device will download a file which has a mapping of the mac address to assigned vlan from a tftp server. Each access switchport is then configured as dynamic rather than access on your edge switches. When a pc is plugged into a switchport the access layer switch will then send a message to the VMPS server inquiring about the devices eligibility. The port does not pass any traffic ncluding dhcp requests, until the VMPS server sends a reply back. If the mac address is found in the database by the vmps server the switchport on the access layer switch is dynamically placed into the appropriate vlan otherwise, the port is automatically shutdown or placed in a default vlan of your choice.

The main downfall to this solution is you must maintain the list of devices (mac address to vlan mapping). There are some web based tools available to assist with this though.

I am currently testing this for use in my production network consisting of over 2000 devices.

Brian

IMHO, I would not recommend VMPS to anyone. I found it was not nearly resilient enough. It depends on having a VMPS server that is on line all the time; as soon as you lose the server, nobody can access the LAN any more. And AFAIA, there is no way to configure a backup server. Also, if you use WoL for maintenance, (and I do), that will probably not work in conjunction with VMPS.

Kevin Dorrell

Luxembourg

Hi Brian,

I am testing VMPS solution in our office. The VMPS server is in server farm, vlan114 and users are in vlan103. Only less than 10 staffs are in dynamic vlan. However, my colleagues feedback to me they encounter random disconnection to mail server, file server. The connection was restore within 1-2 secs, longest is less than 5 mins. It happens randomly, not every staff encounter this issue. Do you know what is the cause and how to solve this problem?

Thanks

p-dolbow
Level 1
Level 1

Steven

As you can see from these posts, there are many ways to skin this cat, and there is no right or wrong way to do this. I suggest a hybrid of the DHCP resolution, combined with a solid written security policy for your company. The policy is as important as the technical solution as you will find out later.

What I have successfully done in the past is set up DHCP scopes with reservations for your authorized systems (MAC address). Also setup a "normal" dhcp scope with no reservations which is effectively a "fly trap" scope. Monitor that scope for leases, and when you find entries, track down the offending machine, and confiscate it. This is where your written policy comes into play.

Good luck. -=Phil=- CISSP

Review Cisco Networking for a $25 gift card