deny Layer 2 traffic

Unanswered Question
Jul 15th, 2007
User Badges:

Dear Cisco-ers,


I've been asked to deny any unauthorized Layer 2 traffic at my office. So, if any unlisted MAC Address is accessing our traffic.

I do this on the switch level right? Now I'm confused about the method i'm using. Should I use switchport security? (i've presented this to my boss and he said it's not effective). what is effective switchport security...


OR should I use Mac address access-list?


Please enlight


Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Sun, 07/15/2007 - 23:26
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


Well that is a bit of an open ended request.


You could use port-security and manually code each port with the relevant mac-address but this is an admin nightmare.


You could look into mac-address authentication using a radius server so you then just need to keep a list of allowed mac-addresses on your network. Easier than first but still a large admin overhead.


You could go the whole hog and do user based dot1x authentication on the switches so only authenticated users can get onto the network.


What exactly is your boss worried about ?


Jon

Suwandy.Ong Mon, 07/16/2007 - 00:02
User Badges:

well, my IT Manager is worried about various guests from my big-director carrying their own notebooks and he's afraid the guests are accessing to our company's data and all.


So, what do you suggest? dot1x or Radius? and what do I require to obtain those needs?


well, i've predicted this is some kind of a complicated work, but.. as long as I get paid, right :)



Jon Marshall Mon, 07/16/2007 - 00:11
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


Well if you are worried about guest connecting in their own laptops to your network then you will need to look at 802.1x authentication, whether it be mac-address authentication or user based authentication.


You will need a radius server, cisco version is the ACS server but Microsoft also comes with a free one called IAS.


What switches do you have ? You can search on Cisco site with the switch type and 802.1x


eg "3550 configuration 802.1x" and this sould bring up some docs that will get you started.


HTH


Jon

Suwandy.Ong Mon, 07/16/2007 - 00:44
User Badges:

Well, I used the ol' 2950, which I believe don't come along with 802.1x

so, the point is if I dont use a 802.1x capabled switch, I can't use 802.1x feature?


I have a Linksys SRW224P and it includes a 802.1x. can i use it? is it compatible with Cisco switches?

misd.network.support Mon, 07/16/2007 - 01:37
User Badges:

To implement 802.1x you will need 802.1x compatible switches.


I've played with 802.1x authentication on a wired Lan and there are a few other things you will need to check.


First off all clients must be Win 2k or XP or you will need to obtain additional software to get them to authenticate.


Mac OS X and most Linux distributions support 802.1x but are not easy to configure.


Microsoft IAS is fine, but if you want the authentication to be secure, you will need to use TLS and install a certificate on your radius server and put in place mechanisms to get that cert trusted on your clients.


You might suggest policy and educating your users is a more cost effective and efficient solution.


Write a network policy that forbids the use of non business equipment on the business network and then get it signed off by the director and enforce it.

moabdallah Tue, 07/17/2007 - 18:47
User Badges:

Hi,


I want to implement the same solution

MAC address authentication via Microsoft IAS

Do you have any document to help me in this configuration ?


Regards


Mohamed

Amit Singh Mon, 07/16/2007 - 05:00
User Badges:
  • Cisco Employee,

What is the IOS and exact model number of 2950's you are using. Paste the " show version " from the 2950.


-amit singh

Suwandy.Ong Mon, 07/16/2007 - 22:13
User Badges:

Sorry wrong version its 2924:


Cisco Internetwork Operating System Software

IOS (tm) C2900XL Software (C2900XL-C3H2S-M), Version 12.0(5)WC10, RELEASE SOFTWARE (fc1)


cisco WS-C2924M-XL (PowerPC403GA) processor (revision 0x11) with 8192K/1024K bytes of memory.




what is Radius server? and am I building the server like the usual Windows 2003 server?

Actions

This Discussion