cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
600
Views
0
Helpful
8
Replies

deny Layer 2 traffic

Suwandy.Ong
Level 1
Level 1

Dear Cisco-ers,

I've been asked to deny any unauthorized Layer 2 traffic at my office. So, if any unlisted MAC Address is accessing our traffic.

I do this on the switch level right? Now I'm confused about the method i'm using. Should I use switchport security? (i've presented this to my boss and he said it's not effective). what is effective switchport security...

OR should I use Mac address access-list?

Please enlight

Thanks

8 Replies 8

Jon Marshall
Hall of Fame
Hall of Fame

Hi

Well that is a bit of an open ended request.

You could use port-security and manually code each port with the relevant mac-address but this is an admin nightmare.

You could look into mac-address authentication using a radius server so you then just need to keep a list of allowed mac-addresses on your network. Easier than first but still a large admin overhead.

You could go the whole hog and do user based dot1x authentication on the switches so only authenticated users can get onto the network.

What exactly is your boss worried about ?

Jon

well, my IT Manager is worried about various guests from my big-director carrying their own notebooks and he's afraid the guests are accessing to our company's data and all.

So, what do you suggest? dot1x or Radius? and what do I require to obtain those needs?

well, i've predicted this is some kind of a complicated work, but.. as long as I get paid, right :)

Hi

Well if you are worried about guest connecting in their own laptops to your network then you will need to look at 802.1x authentication, whether it be mac-address authentication or user based authentication.

You will need a radius server, cisco version is the ACS server but Microsoft also comes with a free one called IAS.

What switches do you have ? You can search on Cisco site with the switch type and 802.1x

eg "3550 configuration 802.1x" and this sould bring up some docs that will get you started.

HTH

Jon

Well, I used the ol' 2950, which I believe don't come along with 802.1x

so, the point is if I dont use a 802.1x capabled switch, I can't use 802.1x feature?

I have a Linksys SRW224P and it includes a 802.1x. can i use it? is it compatible with Cisco switches?

To implement 802.1x you will need 802.1x compatible switches.

I've played with 802.1x authentication on a wired Lan and there are a few other things you will need to check.

First off all clients must be Win 2k or XP or you will need to obtain additional software to get them to authenticate.

Mac OS X and most Linux distributions support 802.1x but are not easy to configure.

Microsoft IAS is fine, but if you want the authentication to be secure, you will need to use TLS and install a certificate on your radius server and put in place mechanisms to get that cert trusted on your clients.

You might suggest policy and educating your users is a more cost effective and efficient solution.

Write a network policy that forbids the use of non business equipment on the business network and then get it signed off by the director and enforce it.

Hi,

I want to implement the same solution

MAC address authentication via Microsoft IAS

Do you have any document to help me in this configuration ?

Regards

Mohamed

Amit Singh
Cisco Employee
Cisco Employee

What is the IOS and exact model number of 2950's you are using. Paste the " show version " from the 2950.

-amit singh

Sorry wrong version its 2924:

Cisco Internetwork Operating System Software

IOS (tm) C2900XL Software (C2900XL-C3H2S-M), Version 12.0(5)WC10, RELEASE SOFTWARE (fc1)

cisco WS-C2924M-XL (PowerPC403GA) processor (revision 0x11) with 8192K/1024K bytes of memory.

what is Radius server? and am I building the server like the usual Windows 2003 server?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: