MAC address lockdown

You didn't specified which version of IOS you're running on your switches, but please check this document:

I hope this is what you have been asked for...

B.R. Igor

This is called: "Security through obscurity". Are you sure you want to implement such policy?

Mac addresses are not fixed parameters, everybody with access to regedit (windows box) can change the address.

In article , Joop van der Velden wrote: :> What I want to know is what is the best way to lock down all the switch :> ports at the mac address level.

:This is called: "Security through obscurity". Are you sure you want to :implement such policy?

I must admit that I have considered a similar lockdown more than once. I have a very hard time getting people to register new systems and NICs with me :( If people went in and changed their MAC address, then at least:

a) they would -know- clearly that they were violating local policy; and

b) I would at least be able to track down which port they were on, since no other port would be authorized for the MAC they would be forced to assume.

There are different kinds of "security" needs for different venues. MAC lockdowns are sometimes not really about keeping unauthorized users off the network, but rather about tracking what is on the network. Network security manuals often start by saying that the first step is to catalog your network devices -- and MAC lockdowns can be a useful tool to *assist* in maintaining that catalog.

Good points, thanks for your insights Walter.

You could "invert" your logic by saying, "If the MAC address is NOT this, then error-disable the port. Otherwise, forward the frames because the MAC will be a match." While locking down by MAC doesn't prevent things like man-in-the-middle, CAM poisoning, and the like, it is at least another LAYER. Of course, good security policy does not rely on any one layer for protection anyway! ;-)

One point to consider about port security - it will only work on access-mode ports. If you use Cisco IP phones, or, the ports are configured for trunking, it won't work. Same goes for 802.1X.

-Jason

On 24.06.2005 19:30 Joop van der Velden wrote

There are situtaions where you do not want to lock down the port to exactly a *specific* address but to *one*. This for example allow the enduser to change the hardware, but it prevents from MAC flooding which makes the switch finally flooding all frames.

We will be adding cisco VoiP phones to our Cisco 3560 switches in the future, so maybe that is not the way to go. Maybe a better way to go would be an intrusion detection system which would monitor and notify when new MAC addresses come up on the network. My main concern is people bringing in their own laptops and plugging them in to our network, or even worse wireless access points. We also have network security auditors come in once a year, so adding one more hoop they have to hop through is a bonus as well.

Thanks for all of the input.

In article , wrote: :We will be adding cisco VoiP phones to our Cisco 3560 switches in the :future, so maybe that is not the way to go. Maybe a better way to go :would be an intrusion detection system which would monitor and notify :when new MAC addresses come up on the network.

To be effective, such a system should monitor the switch tables via RMON or SNMP -- if you try to monitor at just one point, then conversations that don't happen to cross that point won't show up. Our single-point monitoring catches no more than 2/5 of the active MACs.

:My main concern is :people bringing in their own laptops and plugging them in to our :network, or even worse wireless access points.

You might want to consider something like 802.1X. If you don't have MAC lockdown then when people bring in their infected laptops and connect them, it's a matter of seconds before the infected machine starts trying to attack something. A notification of a new MAC comes too late to prevent that. (On the other hand, if you make a bunch of noise every time you find someone connecting an unauthorized machine, it should -discourage- people from bringing their electronic germs to work.)