I have a requirement to enforce MAC filtering on a 2650. Looking into available options, I can use the port-security command to restrict which MAC's are permitted per port (learning for up to 8 MAC's), but I'd rather just maintain a list of permitted MAC's for the whole switch, i.e. a MAC address based VLAN, so permitted devices can connect to any port. There will only be one VLAN (all ports), and it's a single switch network.
There's probably going to be 20-30 MAC's total for the whole switch.
Have I missed something, or are there any best practise recommendations for this?
Thanks Matt. You're right about not wanting to go the whole 802.1x route for a network this size. It's overkill. I guess this is the only way of getting what I want though from what your saying?
You could do a kind of manual 802.1X: take the MAC table off the 2650 every x minutes and compare it to an offline list of allowed MACs. If any MAC is outside the list, then find the port the MAC connects to and disable the port. Chose x as not to overload your network with non-production traffic. Don't ask me how to implement this (maybe some SNMP script or C program that uses SNMP routines) - this is the simplest ideea that I can think of right now.
You could use a DHCP server to assign IP addresses based on predefined MACs (or bootp if you like it best), and build an ACL on the 3500 to only allow the IPs that are assigned in bootp or DHCP to roam through your network.
If a MAC that is not on the list hooks up in a free active jack, it can't get an IP. If the bad guy knows your IP assignment policy and serves himself a valid IP of your subnet, then the ACL kicks in and filters out that IP (of course, you need to maintain the ACL to match the bootptab list of IP addresses).
If he gets an IP that is permitted and if that IP is not used when he does his dirty job (some users do have vacation, you know), then this scheme does not hold, unles you deny the IPs of users that are gone in vacation in the ACL.
If the IP is already in use by some active computer, then there will be a duplicate IP, which can be detected fairly easy, and the legitimate user's computer will not work - he will surely call you if he's not out for a smoke.
Just a question: How many of the systems' NICs (like the one in my notebook) support setting the "Locally administered address" (Google for it), thereby CHANGING the MAC address?
Note: While I work for Hewlett Packard Enterprise, all of my comments (whether noted or not), are my own and are not any official representation of the company. ---------- If my post was useful, click on my KUDOS! thumb below!
I'll admit, some of the solutions seem a little excessive, although I'm not denying they may work (with a lot of effort and testing!). I think the idea of static DHCP reservations is possible, but if someone still knows the LAN IP range, then picking a valid IP and jumping on the LAN wouldn't be difficult. I'll think about it.
It's also true that most modern NIC's allow you to soft-code the MAC address, which is an issue if you use MAC lockdown. Removing local admin rights would reduce that risk though, along with a bit of user eduation!
