Hello All, Currently I Have all the hosts on my network from multiple VLANS getting IP addresses from the DHCP server, every host has a mac-->ip reservation. This is becoming a management headache, the users move constantly and the DHCP server won’t show me when leases expire. The reason for statically mapping these hosts statically is for security, (people can’t come into the building and plug in their infected laptop to the network) -Keeping unwanted computers off the network.
I know there is a way for me to block unwanted computers from plugging in and getting network access, and only allow those that I specify. I would like for trusted hosts to be able to plug into a port, and regardless of VLAN be able to get an address from the DHCP server for the appropriate VLAN and have network access.
This is done through the Port Security commands on the switch, I just need some guidance on this.
Also, the hosts plug into access layer switches that are plugged into a distribution layer switch. This is a cisco 3560, this is where i would be configuring this. I would have to configure this for a range of interfaces and I can’t have the port shutdown, there will obviously be multiple mac addresses communicating on each port. unwanted hosts need to be ignored.
Thanks, let me know if any clarification is needed or if there is a better way to do this.
but it all comes down to that it is quite easy to change the mac address.
Basically you can look at it like a doorman for a restaurant/party.
He has the names of people who are to be let in, but he does not know them.
The difference is that the doorman can ask for an idcard, someone to vouch for you and so on.
The switch will not do any other check than the "name" (mac address).
so in reality all you do is make yourself have alot of extra work for very little security in return.
to circumvent this solution one would only have to find a host, preferable one that is not serving anything (fx end user pc), use a nat device and set the mac address to the same as the host and you can add anything on the natted side of it.
almost any broadband router or firewall will be able to do that out of the box.
My guess is that what you realy would like to have is a NAC setup.
802.1x is, as someone suggested a start.
However there is one thing that pussles me, if you are to have several mac addresses in a port where this is to be activated, that would mean that you are not going to take the security all the way out to the end equipment ?
If you use port-security then you can statically assign a mac to port mapping but this would need to be done on the access-layer switches not the 3560.
Collin is right, 802.1x is the correct way to do this.
Another alternative is to use VMPS which allows you to maintain a centralised mac-address database so only those macs are allowed to connect to the network. VMPS server functionality is only available on CatOS but the client functionality is available in IOS versions. You can get a freeware VMPS server that runs on Linux.
Bear in mind that modifying a mac-address on a client is trivial these days so your security is minimal if only restricting on mac-address. That is why 802.1x is a much better solution.
Question We run asr9001 with XR 6.1.3, and we have a very long delay to
login w/ SSH 1 or 2 to the device compare to IOS device. After
investigation, the there is 1s delay between the client KEXDH_INIT and
the server (XR) KEXDH_REPLY. After debug ssh serv...
Introduction The purpose of this document is to demonstrate the Open
Shortest Path First (OSPF) behavior when the V-bit (Virtual-link bit) is
present in a non-backbone area. The V-bit is signaled in Type-1 LSA only
if the router is the endpoint of one or ...
Hi, I am seeing quite a few issues with patch install and wanted to
share my experience and workaround to this. Login to admin via CLI, then
access root with the “shell” command Issue “df –h” and you’ll probably
see the following directory full or nearly ...