On 2010-08-11, at 11:48, David wrote: > > At $work, we're having more and more problems with people bringing > laptops etc from home and plugging them in to the network. The company > policy has always been against this, but it was never really enforced. > I want to change that. > > I'm looking for suggestions on how I can prevent user's personal devices > from functioning should they plug them into the network. > > Here is what I have to work with: > - the MACs of the company workstations/laptops/Voip phones > - Switches are 3Com Baseline 2924-pwr Plus > (http://support.3com.com/infodeli/tools/switches/baseline/3Com_Baseline-Switch-2924-PWR-Plus_User-Guide.pdf) > - IPs are assigned via dhcp (ISC dhcpd). Some equipment gets fixed IPs, > but workstations and voip phones are plain dhcp. > > I stopped assigning static ips to the workstations and voip phones > because it was becoming a pain to manage at 100+. However, I'm starting > to wonder if I should assign all known mac addressed to a fixed range, > and assign a second range by dhcp. Then when an unknown client "plugs > in", they will get an IP in the dhcp range, which I should be able to > block at the switch. > > Comments?
Some have mentionned using 802.1X which seems like a very good solution, but maybe something a little quicker to implement is "port security" which seems to also be supported by your switch. Basically port security works at layer 2 (MAC addresses). It will only accept frames from MAC addresses which are whitelisted. I'm not sure about the ways 3com specifically implements this feature. But I know with Cisco switches, you can either manually enter mac addresses for each port (static entries), or have the switch learn and only accept the first mac address it learns (automatically adds a single mac address). This is a per port feature so you can have a few ports without this feature for places like a meeting room which might have ports assigned to a different vlan for guests. Setting port security to learn and automatically whitelist the first MAC address is a simple and quick way to help you control what gets connected on your switches. > > > > _______________________________________________ > mlug mailing list > [email protected] > https://listes.koumbit.net/cgi-bin/mailman/listinfo/mlug-listserv.mlug.ca _______________________________________________ mlug mailing list [email protected] https://listes.koumbit.net/cgi-bin/mailman/listinfo/mlug-listserv.mlug.ca
