create MAC address database and disallow nonauth'd MACS with cisco switches

Discussion in 'Cisco' started by Mike Cohen, Jul 7, 2004.

  1. Mike Cohen

    Mike Cohen Guest

    Hello,

    we are trying to implement a system where any non authorizes MAC
    address that plugs into our
    network either wired or wireless is denied access until the MAC is
    properly entered into the database.

    We have seen this at some universities, where students computers
    cannot navigate the LAN until they register their mac address either
    electronically, or by calling IT.

    We have cisco swtiches 2950, 3550, 4006, aironet 1200's and cisco ACS
    3.2

    Can someone point me in the right directiion?

    thanks.

    M.C.
     
    Mike Cohen, Jul 7, 2004
    #1
    1. Advertisements

  2. Mike Cohen

    Peter Payne Guest

    Port security can be implemented on Cisco 3550s and 2950s. The details
    are easily found on Cisco's website.. try this URL:
    http://www.cisco.com/en/US/products/hw/switches/
    ps628/
    products_configuration_guide_chapter09186a00800d84c2.html
    (all one address, remove whitespace of course)

    Configuring should be straightforward:
    conf t
    int <n>
    switchport port-security
    switchport port-security maximum 1
    etc etc

    RTFM.. with the search function on the Cisco website you
    really should be doing some basic research first..
     
    Peter Payne, Jul 7, 2004
    #2
    1. Advertisements

  3. Mike Cohen

    Peter Payne Guest

    Or even better (and this may be more what you were looking for..) MAC
    access lists on the switches (maybe on egress to the campus router).

    This would be simpler than port security as you could still plug in
    whatever you wanted to the network, just that you wouldn't be able
    to reach the default gateway (router) as the MAC ACL (access control
    list) would prevent packets from leaving the layer 2 domain into
    the layer 3 domain..

    http://www.cisco.com/en/US/products/hw/switches/ps628/
    products_command_reference_book09186a00800f6cea.html
    (remove whitespace again)

    e.g. suppose you want to permit PCs with MAC addresses 0xABCDEFABCDEF and
    0x1234ABCD1234 then you might do the following:
    Switch(config-ext-macl)# permit host abcd.efab.cdef any
    Switch(config-ext-mac1)# permit host 1234.abcd.1234 any
    and then apply that list to the ingress of a trunk, or egress to a
    gateway router.

    Just food for thought.
     
    Peter Payne, Jul 7, 2004
    #3
  4. Mike Cohen

    Pat Donlon Guest

    Cisco have the URT tool which dynamically allocates the VLAN based on
    the mac address. I works well enough as long as you're not using IP
    telephony.

    Cheers
    Pat
     
    Pat Donlon, Jul 7, 2004
    #4
  5. Mike Cohen

    James Guest

    Hello Mike,

    Although this is a good idea and a place to start, do not put too much
    faith in this sort of folly for real security. It's quite easy to
    purchase devices running embedded linux, that have PROGRAMMABLE Mac
    addresses....

    Also, older sun unix systems allow one to set the MAC address, along
    with many other systems.

    MAC addressing does cover many devices, but, a saavy hacker will laugh
    at this approach if it is intended to thawart comprimises in security
    by serious interlopers...

    James
     
    James, Jul 9, 2004
    #5
  6. You don't need to be a hacker - in Win2k/XP/NT the mac address the
    network adapter uses can be modified by a network adapter property or
    - if that is not available - a simple registry entry.
     
    Joop van der Velden, Jul 9, 2004
    #6
  7. Mike Cohen

    chris Guest


    True, but if you need to change it to a valid address, there's a good
    chance you'll cause a conflict with the real user of that mac.
     
    chris, Jul 10, 2004
    #7
  8. On Cisco switches you can enable MAC security, which is what you are
    trying to do. You can also so the same with wireless. Have you tried any
    commands yet?
     
    John Simonetti, Jul 10, 2004
    #8
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.