preventing laptops from accessing lan

watts3000

Senior member
Aug 8, 2001
619
0
0
We are trying to find out a way to keep from vendors plugging there lap tops into our lan. We run a windows 2000 dhcp server is there a way to tell a 2000 server dhcp server to give out an ip address only to known mac addresses. We also thought about using a manged switch and creating a vlan that would only allow vendors internet acess.
 

Boscoh

Senior member
Jan 23, 2002
501
0
0
You can do the VLAN route. You can always just unplug every port that isnt being used from the switch, that'd keep them from plugging in unless they unplug another users PC and plug into that. MAC-based Port Security is a nice feature to get on whatever managed switch you do end up getting. That will lock a port down to 1 or however many MAC addresses you want to allow on that port.
 

watts3000

Senior member
Aug 8, 2001
619
0
0
I think thats what they did at my old school we could move any pc from jack to jack but if you tried to plug an unknown system in you could not access the lan. Whats a good affordable switch they will allow for that option?
 

spidey07

No Lifer
Aug 4, 2000
65,469
5
76
I'd go with some kind of 802.1x option. That way the laptop has to actually login before it can get an IP address or even communicate.
 

Hoober

Diamond Member
Feb 9, 2001
4,382
34
91
You can configure DHCP to reserve a certain number of addresses for MACs that have been registered.
 

Boscoh

Senior member
Jan 23, 2002
501
0
0
Cisco 2950's and 2940's can do it. The 24 port 10/100 Fast Ethernet model is 2950-T24 and should run you right around $1,000 bucks. The 2940-8TT is an 8 port model that will probably cost you around $600.
 

watts3000

Senior member
Aug 8, 2001
619
0
0
spidey07 what exactly is 802.1x option and what all managed switches can you get this in. Boscoh I'll check on that cisco switch and also how does uplinking work on manged switches. If you run out of ports would it cause problems to uplink a regular switch.
 

Boscoh

Senior member
Jan 23, 2002
501
0
0
It will work fine, except you wont be able to limit mac addresses on the unmanaged switch on a per-port basis. You'll be able to limit the amount of mac addresses allowed on the port of the Cisco switch the unmanaged switch plugs into. For example, if its a 12 port unmanaged switch and it plugs into port 3 on the cisco, you can limit the amount of mac addresses allowed on port 3 to 12. Which could equal one per port on the unmanaged switch, or if you have another switch plugged into that, it could mean 12 mac's on one port of the unmanaged switch. Make sense?


As for 802.1x, that requires some sort of authenitcation server, usually RADIUS...and the price of that software can get kind of expensive. MAC-based port security and 802.1x compliment each other, and 802.1x is probably the more secure and adaptive of the two...but in the end it's probably going to be more expensive.
 

spidey07

No Lifer
Aug 4, 2000
65,469
5
76
Originally posted by: Boscoh
It will work fine, except you wont be able to limit mac addresses on the unmanaged switch on a per-port basis. You'll be able to limit the amount of mac addresses allowed on the port of the Cisco switch the unmanaged switch plugs into. For example, if its a 12 port unmanaged switch and it plugs into port 3 on the cisco, you can limit the amount of mac addresses allowed on port 3 to 12. Which could equal one per port on the unmanaged switch, or if you have another switch plugged into that, it could mean 12 mac's on one port of the unmanaged switch. Make sense?


As for 802.1x, that requires some sort of authenitcation server, usually RADIUS...and the price of that software can get kind of expensive. MAC-based port security and 802.1x compliment each other, and 802.1x is probably the more secure and adaptive of the two...but in the end it's probably going to be more expensive.


2000 has built in radius server. :)
 

spidey07

No Lifer
Aug 4, 2000
65,469
5
76
Originally posted by: Boscoh
This is true....I didnt know that :D. Does it work well?

I thought there was. Don't quote me on it though...I stay as far away from servers as possible. Also there are free radius servers out there. Even Cisco's ACS server is only a few grand.
 

Boscoh

Senior member
Jan 23, 2002
501
0
0
Originally posted by: spidey07
Originally posted by: Boscoh
This is true....I didnt know that :D. Does it work well?

I thought there was. Don't quote me on it though...I stay as far away from servers as possible. Also there are free radius servers out there. Even Cisco's ACS server is only a few grand.

Our MS guy says he doesn't recommend using it because it's vulnerable to all kinds of stuff. Why is that not surprising? :D

"Even Cisco's ACS server is only a few grand." For a company thats small enough to only be using an unmanaged switch, a few grand might be a lot ;).