restricting LAN access to a known pool of devices 1

[pgn]

I have a bit of a challenge for those used to operating a network in a semi-secure environment:

What is the most efficient way to restrict access to the LAN to only "known" MAC Addresses, in a LAN driven by Cisco 3500-series switches at the edge?

Blocking of IP Addresses at a consolidation point (router) is possible but not desirable - IP addresses can change, especially with DHCP in use.

Restricting access by MAC/NIC Address seems like the most effective way of controlling who can get access to network resources, assuming the mac addresses of the client population are known.

Of course, a process to ensure new devices coming onto the LAN are "allowed" access would be needed... as would a way to see when a non-authorised client has attempted to attach to the LAN.

Oh - and tying the client MAC address to one particular switch port is no good, a requirement would be that any member of the known-good client population can "plug in" at any available network port.

Has anyone any experience of implementing this type of solution that they would like to share?

Is there a Cisco platform that *does* support restriction by MAC address if the 3500 series can't?

Thanks,
pgn@technologist.com
---

 

[baddos]

I am confused... You want to authenticate MAC addresses, but you still want unknown MAC addresses to be let on?

You don't want MAC addresses to be tied down to a physical port, so you'll need to implment either vpms or 802.1x. Try reading up ont these technologies and see if they seem like a fit.

 

[pgn]

Sorry for the confusion - I meant that there would need to be a documented process or system to make it fairly easy for the network admins to add new devices to the pool of "known good" devices, after screening and patching, etc.

VPMS would work - is it supported on the 3500-series, and is there a solution (admin tool) that Cisco support?

Thanks,
pgn@technologist.com
---

 

[baddos]

Sorry I did a typo... It should be VMPS (VLAN Management Policy Server).

Anyways I didn't see a quick link on how to do it on a 3500xl switch, but here is a link on how to do it for the 6000 series.

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/sw_7_3/confg_gd/vmps.htm#xtocid1

The same general rules apply, it will just be different command syntax on the 3500xl. The 3500xl does support this though.

 

[pgn]

Thanks, baddos.

Interesting reading - also covered in the software config guide for the 2900XL/3500XL series switches (back to IOS 12.0(5)XU release).

Back to the original question - has anyone tried to use VMPS?

Feedback I've received is that it's "barely supported".

Any CCIE's or net admins from a bank, financial institution or stock trading floor (higher than normal security) using it?

 

[baddos]

It's generally an old technology that is being replaced by 802.1x.

 

[ccmuser]

I work for a few goverment installations that run VMPS. We are currently phasing out VMPS in favor of both 802.1x and VPN only logon solutions.

But as a technology VMPS works very well for permitting access to static devices and I do not see it going away. What is being phased out is the dynamic VMPS products on favor of 802.1x and VPN.

 

[pgn]

Thank you ccmuser for your comment.

Do the two newer technologies you are moving to go hand in hand to replace VMPS, or is 802.1x a replacement for VMPS?

If all you wanted to do was to "shut the door" on unknown devices connecting to your LAN, would you still be able to do it without VMPS?