11-15-2010 10:54 AM - edited 03-06-2019 02:03 PM
Hello All,
Currently I Have all the hosts on my network from multiple VLANS getting IP addresses from the DHCP server, every host has a mac-->ip reservation.
This is becoming a management headache, the users move constantly and the DHCP server won’t show me when leases expire. The reason for statically mapping these hosts statically is for security, (people can’t come into the building and plug in their infected laptop to the network) -Keeping unwanted computers off the network.
I know there is a way for me to block unwanted computers from plugging in and getting network access, and only allow those that I specify. I would like for trusted hosts to be able to plug into a port, and regardless of VLAN be able to get an address from the DHCP server for the appropriate VLAN and have network access.
This is done through the Port Security commands on the switch, I just need some guidance on this.
Also, the hosts plug into access layer switches that are plugged into a distribution layer switch. This is a cisco 3560, this is where i would be configuring this. I would have to configure this for a range of interfaces and I can’t have the port shutdown, there will obviously be multiple mac addresses communicating on each port. unwanted hosts need to be ignored.
Thanks, let me know if any clarification is needed or if there is a better way to do this.
-Jason
11-15-2010 11:34 AM
I would take a look at 802.1x. It will satisfy your requirements and alleviate the admin issues.
http://www.cisco.com/en/US/solutions/collateral/ns340/ns394/ns171/CiscoIBNS-Technical-Review.pdf
Hope it helps.
11-15-2010 12:45 PM
Hello and thank you for the response,
I think this solution may be a bit overkill, I only need to check the mac address and allow that address access to the network,
cant this be done within the configuration that I have available?
Thanks
11-15-2010 03:37 PM
I have been looking for something similar.
but it all comes down to that it is quite easy to change the mac address.
Basically you can look at it like a doorman for a restaurant/party.
He has the names of people who are to be let in, but he does not know them.
The difference is that the doorman can ask for an idcard, someone to vouch for you and so on.
The switch will not do any other check than the "name" (mac address).
so in reality all you do is make yourself have alot of extra work for very little security in return.
to circumvent this solution one would only have to find a host, preferable one that is not serving anything (fx end user pc), use a nat device and set the mac address to the same as the host and you can add anything on the natted side of it.
almost any broadband router or firewall will be able to do that out of the box.
My guess is that what you realy would like to have is a NAC setup.
802.1x is, as someone suggested a start.
However there is one thing that pussles me, if you are to have several mac addresses in a port where this is to be activated, that would mean that you are not going to take the security all the way out to the end equipment ?
what would be the point of that ?
HTH
Regards
Torbjorn
11-15-2010 02:08 PM
Jason
If you use port-security then you can statically assign a mac to port mapping but this would need to be done on the access-layer switches not the 3560.
Collin is right, 802.1x is the correct way to do this.
Another alternative is to use VMPS which allows you to maintain a centralised mac-address database so only those macs are allowed to connect to the network. VMPS server functionality is only available on CatOS but the client functionality is available in IOS versions. You can get a freeware VMPS server that runs on Linux.
Bear in mind that modifying a mac-address on a client is trivial these days so your security is minimal if only restricting on mac-address. That is why 802.1x is a much better solution.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide