Vlan security development

Unanswered Question
Jul 9th, 2009

I wanted to get opinions on an idea I had for port security. Port security is great, but when rolling out large projects it can be a tedious job entering in all those MAC addresses.

Can Cisco look into the possibility of creating a new feature called 'VLAN/PORT Security groups'. Within the groups admins could list chuncks of MAC addresses that are allowed/disallowed on a particular vlan.

It would have the same violation rule set as port-security.

Configuration under interface would look similar to this:

port-security address group 1

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Collin Clark Fri, 07/17/2009 - 11:33

Check out 802.1x Port Authentication. You use back end RADIUS servers for port authentication (end users) and you can setup static MACs for stuff like servers and printers. No need for MAC address configuration on the switches, but you will need certs and RADIUS servers and maybe a supplicant on the host. The nice thing is, you can move PC's anywhere in the company and they will work! Put a vendor PC on the network and it gets thrown into a dmz where they only get internet access.


This Discussion