securing access port on Cisco switch

situwayne · ‎12-17-2008

Cat3560E

my goal is to limit 1 mac address per port and restrict any unauthorized hub or switch.

I have port-security enabled and set maximum mac to 1. I enabled spanning-tree portfast bpduguard default, and all access ports are spanning-tree portfast enabled.

this works well in most cases. but what if someone were to connect the WAN interface of a Linksys router to the switch interface. because the Linksys does NAT, I can have several devices connected to it and the switch should only see 1 address.

What other IOS security feature can I implement to prevent this? If none, what are my alternatives? thanks.

tomek0001 · ‎12-22-2008

Interesting question.

I would say you are basically looking now at the Network Access Control (NAC) area. You might have to look at 802.1x for port authentication. Basically before you turn on the port you'll have to authenticate the host or the user through radius or AD. This depend on your environment. Besides 802.1x you might just look at the many solutions out there for NAC. Cisco has one and so does Microsoft and plenty of other manufactures.

I don't think that is any other way of detecting NATing on a switchport.

Another thing you could do is monitor all of the mac addresses learn on your switches and try to detect linksys vendor mac addresses or if you only use one computer vendor like dell, look for anything that doesn't match dell. This could be done using snmp or there are few apps online that could do get the mac address table.

Hope that help.

/please rate if you found this helpfull

Thank you,

Tom

mahmoodmkl · ‎12-23-2008

Hi

U will be connecting u r linksys routers ethernet interface to the switch..am i right in assuming this,if so then u r linksys router interface will have only one mac-address so u r in the safe side and for NAT it works at L3 so u need not worry about the mac-address.

Thanks

Mahmood