1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How to Prevent access to LAN via switch security? need help

Discussion in 'Networks' started by alivip, Apr 9, 2009.

  1. alivip

    alivip Bit Poster

    10
    0
    2
    I have network in my company (200 PC) that I am new employee and I wont to prevent personal PCs or laptop( belong to employee or visitor) to access network via LAN

    while I am searching I find that way but Unfortunately I don't know who to do it:

    get MAC address from all PCs in network and put them in switch (my switch CISCO 2950) to prevent any other PCs that is not in list of Mac address in switch (outside network) to access the network

    please help me by way or if there is other way that solve problem
     
  2. Triton.Deep

    Triton.Deep Bit Poster

    42
    3
    22
    http://blogs.techrepublic.com.com/security/?p=320

    What your talking about is Port Security. It is fairly flexible, collects MAC addresses AUTOMATICALLY, but for my tastes has a pretty high administrative overhead. Then again, security vs. convienence..always a nice debate. :)

    That link up there gives some pretty good info, it's not as bad as you think. Here's a few tidbits of advice:

    1) Don't enable it on your uplink ports.
    2) Use "Protected" mode versus the default action (port shutdown).

    I'm sharing with you about Port Security cause I'm betting you don't have a nice big budget and lots of managerial support, BUT..if you do. Then think about going with Cisco NAC (Cisco Clean Access). It's more complicated, it's costly, but it does this plus so much more. Yes, I've actually implmented it for a few thousand users, it can be incredibly powerful.

    :) Anyways, that document linked up there should get you started. Might require some IOS upgrades maybe, but maybe not.

    Hope that helps.

    J.
     
    Certifications: MCITP EMA, MCTS, MCSE (x3), CCNA, A+,etc
    WIP: MCM for Exchange probably. Not Sure
  3. zebulebu

    zebulebu Terabyte Poster

    3,748
    330
    187
    Triton's answer is excellent. If you have access to the switches in your environment (and I'm guessing, from your post, that you do) then port security is the way to go. As always, be careful when implementing anything at a network level that you're not familiar with - you can easily rinse your LAN by applying the wrong security to the wrong port.

    If you just want to stop people plumbing into your LAN ports and getting an IP via DHCP you could implement MAC filtering on your DHCP servers by using the "DHCP Callout DLL" - described in this DHCPTeam blog post. It's a bit of a sledgehammer-to-crack-a-walnut approach, has a bit of administrative overhead and won't stop anyone who knows the LAN & has the rights to modify their network conenction properties, but its definitely worth a look if you just want a quick way to lock out the casual offender.
     
    Certifications: A few
    WIP: None - f*** 'em
  4. Triton.Deep

    Triton.Deep Bit Poster

    42
    3
    22
    THIS. Or That rather. That is gold. Thank you for posting that, I agree it won't stop anyone beyond the casual "i didn't know better" offender, but I like it. Thanks for posting that, I absolutly know I'll end up using this at some point.

    Excellent.

    J.

    \\learn something new every day :)
     
    Certifications: MCITP EMA, MCTS, MCSE (x3), CCNA, A+,etc
    WIP: MCM for Exchange probably. Not Sure
  5. alivip

    alivip Bit Poster

    10
    0
    2
    thanks for fast respond Mr Triton.Deep & Mr zebulebu

    Mr Triton.Deep I have read the link http://blogs.techrepublic.com.com/security/?p=320
    it is very good but because I am new in this field I need detail step to how to collects MAC addresses AUTOMATICALLY where I have to go step by step from beginning to collect Mac and then put in switch in full details

    Same to Mr Mr zebulebu I have download and install DHCP Callout DLL but unfortunately I do not no how to use it even where I can find Icon for the program that installed I need detail step by step how to
    1. Allow Machines only belonging to set of MAC addresses to get ip address from DHCP Server.
    2. Deny Machines belonging to set of MAC addresses from getting ip address from this server.

    in full details

    I need your help urgent ASAP
     
  6. Triton.Deep

    Triton.Deep Bit Poster

    42
    3
    22
    On the machine you installed the DHCP Callout DLL, look for the file "SetupDHCPMacFilter.rtf". The file should be in %SystemRoot%\system32. If your server OS installation was done using defaults, then the path is probably C:\windows\system32\.

    That document should tell you everything you need to know. Just so you know, there is no icon. The installer just dumps the DLL file along with the help document into the system32 directory. Not exactly a program in the traditional sense. I'm busy wracking my brains trying to think how to aggregate MAC-addresses automatically instead of adding them manually. That part is a pain in the butt.

    J.

    \\Couldn't help but tear through the documentation/installation after zebulebu mentioned it. Still learning it too.
     
    Certifications: MCITP EMA, MCTS, MCSE (x3), CCNA, A+,etc
    WIP: MCM for Exchange probably. Not Sure

Share This Page

Loading...