04-21-2023 07:10 AM
Got an issue with a department and a third party vendor. They add in a tp-link dumb switch and then mix my companies devices with another companies and connect to our switch. I don't want to mix the networked device so I have to manually go and remove it and connect the devices to their respective environments. Remotely, I'm excluding the foreign devices up from our DHCP server, but the current lease is under 4 hours. So even after shutting the port clearing the foreign mac and IP, then unshutting the port - the foreign devices are still pingable/on my network. I've tried putting on port-security and specified the allowed mac addresses, but as soon as they connect the wrong device, it will shut down traffic to the entire port, right? Is it possible to stop traffic to the select mac addresses? An organizational step to introduce dot1x is in play. But with over 1000 switches and like 20k end points - this isn't an immediate fix. (End of year roll out) Any suggestions on how I can remotely remove the unwanted devices but keep my devices connected?
04-21-2023 07:26 AM
Hi
If you dont have a radius server it would be almost impossible. First because you dont know what device you need to block right? So the only way is allow only those you know which would be those registered in your domain.Deny everything else.
I dont think the DHCP lease play any role here.
04-21-2023 07:56 AM
mac address-table static ffff.aaaa.gggg vlan x drop
you can use this command to drop any mac address
or you can use
MAC ACL to deny specific mac
BUT the best solution is use dot1x
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide