Vlan security development

Unanswered Question
Jul 9th, 2009
User Badges:

I wanted to get opinions on an idea I had for port security. Port security is great, but when rolling out large projects it can be a tedious job entering in all those MAC addresses.

Can Cisco look into the possibility of creating a new feature called 'VLAN/PORT Security groups'. Within the groups admins could list chuncks of MAC addresses that are allowed/disallowed on a particular vlan.

It would have the same violation rule set as port-security.

Configuration under interface would look similar to this:

port-security address group 1

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Leo Laohoo Sat, 07/11/2009 - 05:27
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 LAN, Wireless

Network Admission Control

Collin Clark Fri, 07/17/2009 - 11:33
User Badges:
  • Purple, 4500 points or more

Check out 802.1x Port Authentication. You use back end RADIUS servers for port authentication (end users) and you can setup static MACs for stuff like servers and printers. No need for MAC address configuration on the switches, but you will need certs and RADIUS servers and maybe a supplicant on the host. The nice thing is, you can move PC's anywhere in the company and they will work! Put a vendor PC on the network and it gets thrown into a dmz where they only get internet access.


This Discussion