No announcement yet.

MAC Address Filtering

  • Filter
  • Time
  • Show
Clear All
new posts

  • MAC Address Filtering

    hi all,
    we have a few cisco 3560G switches. due to a new corporate policy we now need to secure our lan in a fashion that only allows authorized devices to be connected to a switch port. in other words we need to filter our devices by mac-addresses and deny connection to any devices that doesn't have an authorized mac address. i already looked around and found a few articles on mac-address ACLs but that doesn't work quite well. also read about implementing NAP but that is a lot of messing around. how can i implement this easily with centralized management of mac-addresses?
    thanks in advance
    Last edited by crazyleo_EA; 14th December 2012, 05:24.

  • #2
    Re: MAC Address Filtering

    To have it centralized you'll probably need to implement 802.1x (aka RADIUS) port authentication. You can configure it to use mac address for authentication. You could also use a username and password which might be more secure.

    Network Consultant/Engineer
    Baltimore - Washington area and beyond


    • #3
      Re: MAC Address Filtering

      802.1x would be the way to go. The downside to that is that you need a RADIUS server or preferably in the cisco world ACS (AAA Server). You would also need the supplicant to put on the client for the authentication piece and not to mention the configuration on your devices.

      A simpler approach would be to do port security on the switches. You can either do it manually or dynamically. Basically with port security enabled by default the switchport only accepts one mac address learned on that port. If a different mac address connects it puts the port in an "error disabled" state. Which would then require the admin to shut/no shut the port to get it back up. You can also learn the addresses dynamically and then use the "sticky" feature to convert them to static and save them to the configuration when the switch is rebooted. Here is some more info on port security.

      Another option would be to do reservations on your dhcp server per mac address. So a client that connects without their mac address configured in the dhcp reservation will not get an address via dhcp.
      CCNA, CCNA-Security, CCNP
      CCIE Security (In Progress)