HPE Community
Switches, Hubs, and Modems
1820884 Members
3545 Online
109628 Solutions
New Discussion юеВ

MAC Filtering

 
Tony Barrett_2
Frequent Advisor

тАО03-04-2007 10:14 PM

тАО03-04-2007 10:14 PM

MAC Filtering

I have a requirement to enforce MAC filtering on a 2650. Looking into available options, I can use the port-security command to restrict which MAC's are permitted per port (learning for up to 8 MAC's), but I'd rather just maintain a list of permitted MAC's for the whole switch, i.e. a MAC address based VLAN, so permitted devices can connect to any port. There will only be one VLAN (all ports), and it's a single switch network.

There's probably going to be 20-30 MAC's total for the whole switch.

Have I missed something, or are there any best practise recommendations for this?

Thanks
0 Kudos
7 REPLIES 7
Matt Hobbs
Honored Contributor

тАО03-04-2007 10:37 PM

тАО03-04-2007 10:37 PM

Re: MAC Filtering

Hi Tony,

I think that 802.1X mac-based authentication is probably the way to go for this one. Seems a bit much effort for a network of this size though.

Matt
0 Kudos
Tony Barrett_2
Frequent Advisor

тАО03-04-2007 11:23 PM

тАО03-04-2007 11:23 PM

Re: MAC Filtering

Thanks Matt. You're right about not wanting to go the whole 802.1x route for a network this size. It's overkill. I guess this is the only way of getting what I want though from what your saying?
0 Kudos
Matt Hobbs
Honored Contributor

тАО03-04-2007 11:49 PM

тАО03-04-2007 11:49 PM

Re: MAC Filtering

Unfortunately I think it is the only way for that many mac-addresses to be valid on each port due to the 8 mac-address limit of Port Security.

Hopefully someone else has a simpler idea...
0 Kudos
OLARU Dan
Trusted Contributor

тАО03-05-2007 07:40 PM

тАО03-05-2007 07:40 PM

Re: MAC Filtering

You could do a kind of manual 802.1X: take the MAC table off the 2650 every x minutes and compare it to an offline list of allowed MACs. If any MAC is outside the list, then find the port the MAC connects to and disable the port. Chose x as not to overload your network with non-production traffic. Don't ask me how to implement this (maybe some SNMP script or C program that uses SNMP routines) - this is the simplest ideea that I can think of right now.
0 Kudos
OLARU Dan
Trusted Contributor

тАО03-05-2007 07:58 PM

тАО03-05-2007 07:58 PM

Re: MAC Filtering

You could use a DHCP server to assign IP addresses based on predefined MACs (or bootp if you like it best), and build an ACL on the 3500 to only allow the IPs that are assigned in bootp or DHCP to roam through your network.

If a MAC that is not on the list hooks up in a free active jack, it can't get an IP. If the bad guy knows your IP assignment policy and serves himself a valid IP of your subnet, then the ACL kicks in and filters out that IP (of course, you need to maintain the ACL to match the bootptab list of IP addresses).

If he gets an IP that is permitted and if that IP is not used when he does his dirty job (some users do have vacation, you know), then this scheme does not hold, unles you deny the IPs of users that are gone in vacation in the ACL.

If the IP is already in use by some active computer, then there will be a duplicate IP, which can be detected fairly easy, and the legitimate user's computer will not work - he will surely call you if he's not out for a smoke.
0 Kudos
Sheldon Smith
HPE Pro

тАО03-06-2007 12:17 AM

тАО03-06-2007 12:17 AM

Re: MAC Filtering

Just a question: How many of the systems' NICs (like the one in my notebook) support setting the "Locally administered address" (Google for it), thereby CHANGING the MAC address?

Note: While I am an HPE Employee, all of my comments (whether noted or not), are my own and are not any official representation of the company

Accept or Kudo

0 Kudos
Tony Barrett_2
Frequent Advisor

тАО03-06-2007 12:59 AM

тАО03-06-2007 12:59 AM

Re: MAC Filtering

Thanks for the replies.

I'll admit, some of the solutions seem a little excessive, although I'm not denying they may work (with a lot of effort and testing!). I think the idea of static DHCP reservations is possible, but if someone still knows the LAN IP range, then picking a valid IP and jumping on the LAN wouldn't be difficult. I'll think about it.

It's also true that most modern NIC's allow you to soft-code the MAC address, which is an issue if you use MAC lockdown. Removing local admin rights would reduce that risk though, along with a bit of user eduation!
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.