|
|
|
|
|
|
|
Posted by DigitalVinyl on November 29, 2005, 10:02 am
Please log in for more thread options
ANybody have a simple method for blocking a MAC address or (less
effective) an IP address. We don't want to amend ACLs becuase laptop
can move from network to network.
Basically I'm looking for the simplest method for blocking
virus/worm/trojan/spyware infected PCs. We have a honeypot log that
tells us the IP address but it is time consuming to track the PC down,
both logically on the switches and then dispatching desktop support to
track down the person/laptop and fix them.
I'd prefer to block the MAC addresses at the three major routing nodes
and eliminate their ability to use the network. This would protect us
and force them to contact tech services. Our major routing nodes host
the routing interfaces on most of the networks. So if I can block the
MACs there it will work fairly well. We have too many switches(200+)
to do anything there
Thanks for any suggestions.
DiGiTAL_ViNYL (no email)
|
|
Posted by ETLALAR on November 29, 2005, 10:50 am
Please log in for more thread options
AFAIK, MAC access-lists 700-799 and 1100-1199 on routers work only on BVI
interfaces (with "bridge irb" configured).
How about using 802.1x authentication and forcing the switchport into
"force-unauthorised" state or changing password on RADIUS and then
requesting client to reauthenticate?
You have to know the switchport, though.
Another way of doing that is to change 802.1x reauthentication timeout to be
really short (5 mins?) and then You don't have to force client to
reauthenticate. All You need then is to change password on RADIUS and in 5
mins max the client will be off-air.
HTH
Cheers
Alex
--
> ANybody have a simple method for blocking a MAC address or (less
> effective) an IP address. We don't want to amend ACLs becuase laptop
> can move from network to network.
> Basically I'm looking for the simplest method for blocking
> virus/worm/trojan/spyware infected PCs. We have a honeypot log that
> tells us the IP address but it is time consuming to track the PC down,
> both logically on the switches and then dispatching desktop support to
> track down the person/laptop and fix them.
> I'd prefer to block the MAC addresses at the three major routing nodes
> and eliminate their ability to use the network. This would protect us
> and force them to contact tech services. Our major routing nodes host
> the routing interfaces on most of the networks. So if I can block the
> MACs there it will work fairly well. We have too many switches(200+)
> to do anything there
> Thanks for any suggestions.
> DiGiTAL_ViNYL (no email)
|
|
Posted by ETLALAR on November 29, 2005, 11:05 am
Please log in for more thread options Small correction to my previous post:
MAC access-lists 700-799 and 1100-1199 on routers work only on
bridge-groups, not BVI interfaces (with "bridge irb" configured).
One has to have BVI interfaces to route IP, though.
regards
Alex
> AFAIK, MAC access-lists 700-799 and 1100-1199 on routers work only on BVI
> interfaces (with "bridge irb" configured).
> How about using 802.1x authentication and forcing the switchport into
> "force-unauthorised" state or changing password on RADIUS and then
> requesting client to reauthenticate?
> You have to know the switchport, though.
> Another way of doing that is to change 802.1x reauthentication timeout to
be
> really short (5 mins?) and then You don't have to force client to
> reauthenticate. All You need then is to change password on RADIUS and in 5
> mins max the client will be off-air.
> HTH
> Cheers
> Alex
> --
> > ANybody have a simple method for blocking a MAC address or (less
> > effective) an IP address. We don't want to amend ACLs becuase laptop
> > can move from network to network.
> >
> > Basically I'm looking for the simplest method for blocking
> > virus/worm/trojan/spyware infected PCs. We have a honeypot log that
> > tells us the IP address but it is time consuming to track the PC down,
> > both logically on the switches and then dispatching desktop support to
> > track down the person/laptop and fix them.
> >
> > I'd prefer to block the MAC addresses at the three major routing nodes
> > and eliminate their ability to use the network. This would protect us
> > and force them to contact tech services. Our major routing nodes host
> > the routing interfaces on most of the networks. So if I can block the
> > MACs there it will work fairly well. We have too many switches(200+)
> > to do anything there
> >
> >
> > Thanks for any suggestions.
> >
> >
> > DiGiTAL_ViNYL (no email)
|
|
Posted by DigitalVinyl on November 29, 2005, 2:26 pm
Please log in for more thread options
>AFAIK, MAC access-lists 700-799 and 1100-1199 on routers work only on BVI
>interfaces (with "bridge irb" configured).
>How about using 802.1x authentication and forcing the switchport into
>"force-unauthorised" state or changing password on RADIUS and then
>requesting client to reauthenticate?
>You have to know the switchport, though.
>Another way of doing that is to change 802.1x reauthentication timeout to be
>really short (5 mins?) and then You don't have to force client to
>reauthenticate. All You need then is to change password on RADIUS and in 5
>mins max the client will be off-air.
>HTH
>Cheers
>Alex
I dealing with a campus of 10-20,000 users so anything that must be
"implemented" is year-long planning and discussion. We have over 100
VLANs, 10-12 major routers, and 225 switches.
Our switches range across 5 years of purchasing (as will always be
true in large enterprises) so not all switches have the necessary
capabilities to support certain technological solutions. 802.1x is
under consideration, but I believe some of our switches aren't capable
for the solution we are considering.
DiGiTAL_ViNYL (no email)
|
|
Posted by Walter Roberson on November 29, 2005, 11:55 am
Please log in for more thread options
>ANybody have a simple method for blocking a MAC address or (less
>effective) an IP address. We don't want to amend ACLs becuase laptop
>can move from network to network.
>Basically I'm looking for the simplest method for blocking
>virus/worm/trojan/spyware infected PCs. We have a honeypot log that
>tells us the IP address but it is time consuming to track the PC down,
>both logically on the switches and then dispatching desktop support to
>track down the person/laptop and fix them.
>I'd prefer to block the MAC addresses at the three major routing nodes
>and eliminate their ability to use the network. This would protect us
>and force them to contact tech services. Our major routing nodes host
>the routing interfaces on most of the networks. So if I can block the
>MACs there it will work fairly well. We have too many switches(200+)
>to do anything there
Some switches are able to get MAC security information via RADIUS.
This is not exactly the same mechanism as the 802.1x that the other poster
suggested -- this generally predates 802.1x.
At the IP level, you could use 'shun' on the PIX you have mentioned
in other postings. But as you point out, that doesn't work well if the
IP address changes.
When the IP address changes, probably the PCs are DHCP'ing for an IP
address. Your DHCP server could be managing a block table, since the
DHCP server is given the MAC address.
If your routers have firewall support, you might be able to work something
at the MAC level using NBAR.
--
"It is important to remember that when it comes to law, computers
never make copies, only human beings make copies. Computers are given
commands, not permission. Only people can be given permission."
-- Brad Templeton
|
| Similar Threads | Posted |
| Blocking a MAC address at the router | November 29, 2005, 10:02 am |
| blocking an ip address | July 12, 2009, 10:29 am |
| Blocking arp based on ip address? | March 1, 2007, 6:59 pm |
| SurfControl not blocking across Cisco router | August 10, 2006, 10:25 am |
| router acl on mac address | October 9, 2008, 5:59 pm |
| MAC address for switch and router | May 22, 2007, 9:50 pm |
| LAN IP Address of Router resets on its own | May 24, 2007, 1:26 am |
| web config ip address for an 857 router | June 23, 2007, 6:55 am |
| Newbie-Router Unknown IP address | April 4, 2006, 11:39 am |
| Block MAC-Address on a 2851 Router? | December 6, 2007, 1:52 pm |
| MAC Address and Logical Router Interface | November 5, 2008, 5:59 pm |
| we have private IP address on WAN port, no connection through Router? | October 6, 2005, 7:12 am |
| Client Gateway Address in DHCP - Router or Firewall? | March 1, 2006, 11:00 am |
| ezvpn w/ router which has changing public address (PPPoE) | March 5, 2006, 4:18 am |
| Changing the MAc address to VLAN interface or how to SPLIT a router in 2. | December 2, 2006, 10:19 am |
Blocking a MAC address at the router
Yahoo!
Google
Windows Live
del.icio.us
digg
Netscape
> effective) an IP address. We don't want to amend ACLs becuase laptop
> can move from network to network.
> Basically I'm looking for the simplest method for blocking
> virus/worm/trojan/spyware infected PCs. We have a honeypot log that
> tells us the IP address but it is time consuming to track the PC down,
> both logically on the switches and then dispatching desktop support to
> track down the person/laptop and fix them.
> I'd prefer to block the MAC addresses at the three major routing nodes
> and eliminate their ability to use the network. This would protect us
> and force them to contact tech services. Our major routing nodes host
> the routing interfaces on most of the networks. So if I can block the
> MACs there it will work fairly well. We have too many switches(200+)
> to do anything there
> Thanks for any suggestions.
> DiGiTAL_ViNYL (no email)