Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Physical port security on Cisco switching

We have a security problem I would like to resolve. Like most sites our wired network has live ports that periodically, non corporate PCs and laptops connect up to without our knowledge. In our network we do not filter for valid MAC addresses although Ive learned this is a poor approach to security as MAC can be changed in about 10 seconds.

I would like a solution that would validate corporate systems and let them through the Cisco layer 3 switching and block out all other devices which attempt connection. We do not currently have IDS or IPS and are not likely to in short term.

Is there a hardware or software or combination solution out there that works well for this ?

Thank you

Hall of Fame Super Blue

Re: Physical port security on Cisco switching


2 solutions spring to mind

1) 802.1x authentication. Microsoft XP/Vista has built in 802.1x supplicant and Cisco switches support Network EAP used to pass the 802.1x messages. What you also need is an authentication server such as Cisco Secure ACS server although Microsoft IAS server also supports 802.1x.

Basically before a client is allowed access to the network they have to authenticate to the network with valid credentials otherwise the port is shutdown.

2) NAC - Network Admission Control. This goes one step further than 1) whereby the client is also checked to see if it conforms to company policy eg. does it have the right virus checker on it etc.. and if it doesn't the client can be quarantined.

A search on Cisco's website for both NAC and 802.1x will provide a lot of useful links.


CreatePlease to create content