Port Security

Unanswered Question
Oct 2nd, 2007

Is there a way to setup port security so that our laptop users can plug into the lan in multiple places around a building while preventing outside users from coming in and doing the same. Purhaps a table of pre approved mac addresses that the switch checks?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jagdeep Gambhir Tue, 10/02/2007 - 08:06

I'll suggest to use dot1x in your environment as port security is not suitable where user can log anywhere from LAN.

Dot1x will give you more control over user and machines.

Regards,

~JG

ankbhasi Tue, 10/02/2007 - 09:23

Hi Charles,

As Jagdeep stated port security is going to be a tough task and not a very feasible solution when you have multiple users in your network.

I can think of 2 possible solutions out of which Jagdeep already mentioned dot1x which is identity based networking or VMPS where you have pre approved mac address listed in a text file with vlan number they should be assigned dynamically and is any machine gets into the network whose mac address is not from the pre configured list can be assigned to a non routable vlan or an isolated vlan which does not have any connectivity into your network just like a guest and then you can have control on that vlan.

But I agree 802.1x will give you more security and control in your network.

You can have a look at these links for 802.1x as well as VMPS

For 8021.1x

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_37_se/configuration/guide/sw8021x.html

For VMPS

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_37_se/configuration/guide/swvlan.html#wp1212223

HTH

Ankur

*Pls rate all helpfull post

jacobss914 Wed, 10/03/2007 - 09:33

802.1x is a good way of doing this. I use this in public areas, but am a little more sadistic and give limited access in some areas. Conference rooms, fall under a Guest VLAN and ACLs that limit access to two dns servers, dhcp, and port 80 and 443 to the i-net.

Other more secure areas, I lock them down into a black-hole vlan, that does nothing but frustrate.

Actions

This Discussion