MAC Filtering - In Enterprise

JUMPURS · 6 Jun 2012 at 08:38

What is the best way to go about implementing MAC filtering in a corporate network?

As an interim solution we are going to set up whitelists on DHCP servers, but this isn't ideal.

We are going to be moving to cisco switching, do Cisco have a centralised solution for this? I don't fancy having to maintain individual white list tables in each switch tbh.

sidethink · 6 Jun 2012 at 10:07

Have a look at Cisco Clean Access.

Zarf · 6 Jun 2012 at 10:09

JUMPURS said:
What is the best way to go about implementing MAC filtering in a corporate network?

As an interim solution we are going to set up whitelists on DHCP servers, but this isn't ideal.

We are going to be moving to cisco switching, do Cisco have a centralised solution for this? I don't fancy having to maintain individual white list tables in each switch tbh.

You should really be looking at RADIUS/802.1X authentication.

JUMPURS · 6 Jun 2012 at 10:11

Zarf said:
You should really be looking at RADIUS authentication.

I always thought that was for more 'dial in' / vpn use??

JUMPURS · 6 Jun 2012 at 10:11

sidethink said:
Have a look at Cisco Clean Access.

Cheers, i'll have a wee nosey at that

Dist · 6 Jun 2012 at 10:40

One option could be to use port security on the Cisco switches and set it to learn sticky mac addresses. That way all you need to do is make sure only legit devices are connected and then when the switch boots up it'll learn the mac address of what's connected and then save that into the config so it won't have to relearn later.

Port security allows you to allow a variable number of MAC addresses, and configure what happens when something breaks the port security (such as adding more devices than allowed to the switch port, or using a device with a different MAC when the switch has already learned the maximum number of addresses for that port).

The advantages of doing it this way is you don't have to keep updating a whitelist as new devices are added and old removed, it's simple to clear the switch of it's learned MAC addresses if you do need to add new stuff to that port, and it has security that can shut down the port and log the reason why if someone tries to break the port security rules.

Downside is you need known good MAC addresses connected when you enable it. If you have a device connected that you don't want to have access, it'll get learned and added just like any other device.

GhostlyPea · 6 Jun 2012 at 11:01

Realistically I'd go with dot1x through to a RADIUS server. There *is* another tech you can use depending on switch model called VMPS but Id stay clear.

- GP

ChrisD. · 6 Jun 2012 at 11:23

+1 for port security on Cisco switches.

Deleted member 77746 · 6 Jun 2012 at 12:41

JUMPURS said:
What is the best way to go about implementing MAC filtering in a corporate network?

YAK!

Azuse05 · 6 Jun 2012 at 13:12

mrbell1984 said:
YAK!

A centralised solution for ensuring correct access is RADIUS. Period.

If something went wrong in an enterprise environment and it turned out there were only using mac filtering... :rolleyes:

Deleted member 77746 · 6 Jun 2012 at 13:20

Azuse05 said:
A centralised solution

My fav words.

GhostlyPea · 6 Jun 2012 at 13:56

I know people have mentioned port security but I would argue against it. Yes it's a good feature but if you're anything over a smallish system (and it doesn't really sound like you are) then that is a lot of overhead to manage and response times for people who want to work, especially if you have hot desks, clients coming in (maybe) and laptops roaming between places.

Dot1x allows you to just create a client profile and set it up on a management server. Then it doesn't matter where people plug in, no need to go on switches to make changes etc. and you can make global changes if needed.

How many users do you have and hot deskers and laptops. What sort of budget?

- GP

Caged · 6 Jun 2012 at 15:15

Have a look at PacketFence