Prevent Access to Network Using MAC Addresses

Discussion in 'Cisco' started by kware, Jul 8, 2005.

  1. kware

    kware Guest

    Hi,

    We are trying to prevent unauthorised users from connecting PC's to the
    network and obtaining access to domain resources and the Internet.

    We are using Cisco 2950 switches on a Windows 2000 domain.

    My question is, can we allow traffic from only known (and pre-approved)
    MAC addresses?

    Any ideas?

    Thanks in advance
     
    kware, Jul 8, 2005
    #1
    1. Advertisements

  2. On 08.07.2005 17:23 wrote
    you can do, but you also should know that MAC addresses may be spoofed
    easily (e.g. http://www.nthelp.com/NT6/change_mac_w2k.htm)

    You might want to look into 802.1X instead
    (http://www.cisco.com/en/US/products...figuration_guide_chapter09186a00800d84b9.html)





    Arnold
     
    Arnold Nipper, Jul 8, 2005
    #2
    1. Advertisements

  3. kware

    big si Guest

    Another option is port security, but a big admin overhead.
    MAC addresses are defined and allowed access only on specific interfaces.

    Not good in a 'hot desk' environment.

    eg:

    !
    interface FastEthernet0/2
    description desktop
    switchport mode access
    switchport port-security
    switchport port-security aging time 2
    switchport port-security violation restrict
    switchport port-security aging type inactivity
    switchport port-security mac-address sticky
    switchport port-security mac-address sticky 0000.3911.c3f4
    mls qos cos override
    macro description cisco-desktop
    spanning-tree portfast
    spanning-tree bpduguard enable
    !

    Big Si.
     
    big si, Jul 10, 2005
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.