topic Re: MAC Filtering in Switches, Hubs, and Modems

MAC Filtering

Tony Barrett_2 — Mon, 05 Mar 2007 06:14:54 GMT

I have a requirement to enforce MAC filtering on a 2650. Looking into available options, I can use the port-security command to restrict which MAC's are permitted per port (learning for up to 8 MAC's), but I'd rather just maintain a list of permitted MAC's for the whole switch, i.e. a MAC address based VLAN, so permitted devices can connect to any port. There will only be one VLAN (all ports), and it's a single switch network.

There's probably going to be 20-30 MAC's total for the whole switch.

Have I missed something, or are there any best practise recommendations for this?

Thanks

Re: MAC Filtering

Matt Hobbs — Mon, 05 Mar 2007 06:37:35 GMT

Hi Tony,

I think that 802.1X mac-based authentication is probably the way to go for this one. Seems a bit much effort for a network of this size though.

Matt

Re: MAC Filtering

Tony Barrett_2 — Mon, 05 Mar 2007 07:23:08 GMT

Thanks Matt. You're right about not wanting to go the whole 802.1x route for a network this size. It's overkill. I guess this is the only way of getting what I want though from what your saying?

Re: MAC Filtering

Matt Hobbs — Mon, 05 Mar 2007 07:49:05 GMT

Unfortunately I think it is the only way for that many mac-addresses to be valid on each port due to the 8 mac-address limit of Port Security.

Hopefully someone else has a simpler idea...

Re: MAC Filtering

OLARU Dan — Tue, 06 Mar 2007 03:40:08 GMT

You could do a kind of manual 802.1X: take the MAC table off the 2650 every x minutes and compare it to an offline list of allowed MACs. If any MAC is outside the list, then find the port the MAC connects to and disable the port. Chose x as not to overload your network with non-production traffic. Don't ask me how to implement this (maybe some SNMP script or C program that uses SNMP routines) - this is the simplest ideea that I can think of right now.

Re: MAC Filtering

OLARU Dan — Tue, 06 Mar 2007 03:58:34 GMT

You could use a DHCP server to assign IP addresses based on predefined MACs (or bootp if you like it best), and build an ACL on the 3500 to only allow the IPs that are assigned in bootp or DHCP to roam through your network.

If a MAC that is not on the list hooks up in a free active jack, it can't get an IP. If the bad guy knows your IP assignment policy and serves himself a valid IP of your subnet, then the ACL kicks in and filters out that IP (of course, you need to maintain the ACL to match the bootptab list of IP addresses).

If he gets an IP that is permitted and if that IP is not used when he does his dirty job (some users do have vacation, you know), then this scheme does not hold, unles you deny the IPs of users that are gone in vacation in the ACL.

If the IP is already in use by some active computer, then there will be a duplicate IP, which can be detected fairly easy, and the legitimate user's computer will not work - he will surely call you if he's not out for a smoke.

Re: MAC Filtering

Sheldon Smith — Tue, 06 Mar 2007 08:17:17 GMT

Just a question: How many of the systems' NICs (like the one in my notebook) support setting the "Locally administered address" (Google for it), thereby CHANGING the MAC address?

Re: MAC Filtering

Tony Barrett_2 — Tue, 06 Mar 2007 08:59:02 GMT

Thanks for the replies.

I'll admit, some of the solutions seem a little excessive, although I'm not denying they may work (with a lot of effort and testing!). I think the idea of static DHCP reservations is possible, but if someone still knows the LAN IP range, then picking a valid IP and jumping on the LAN wouldn't be difficult. I'll think about it.

It's also true that most modern NIC's allow you to soft-code the MAC address, which is an issue if you use MAC lockdown. Removing local admin rights would reduce that risk though, along with a bit of user eduation!