On 8/11/2010 9:14 PM, Emery wrote: > On 2010-08-11, at 11:48, David wrote: > >> At $work, we're having more and more problems with people bringing >> laptops etc from home and plugging them in to the network. The company >> policy has always been against this, but it was never really enforced. >> I want to change that. >> >> I'm looking for suggestions on how I can prevent user's personal devices >> from functioning should they plug them into the network. >> >> Here is what I have to work with: >> - the MACs of the company workstations/laptops/Voip phones >> - Switches are 3Com Baseline 2924-pwr Plus >> (http://support.3com.com/infodeli/tools/switches/baseline/3Com_Baseline-Switch-2924-PWR-Plus_User-Guide.pdf) >> - IPs are assigned via dhcp (ISC dhcpd). Some equipment gets fixed IPs, >> but workstations and voip phones are plain dhcp. >> >> I stopped assigning static ips to the workstations and voip phones >> because it was becoming a pain to manage at 100+. However, I'm starting >> to wonder if I should assign all known mac addressed to a fixed range, >> and assign a second range by dhcp. Then when an unknown client "plugs >> in", they will get an IP in the dhcp range, which I should be able to >> block at the switch. >> >> Comments? > Some have mentionned using 802.1X which seems like a very good solution, but > maybe something a little quicker to implement is "port security" which seems > to also be supported by your switch. Basically port security works at layer 2 > (MAC addresses). It will only accept frames from MAC addresses which are > whitelisted. I'm not sure about the ways 3com specifically implements this > feature. But I know with Cisco switches, you can either manually enter mac > addresses for each port (static entries), or have the switch learn and only > accept the first mac address it learns (automatically adds a single mac > address). This is a per port feature so you can have a few ports without this > feature for places like a meeting room which might have ports assigned to a > different vlan for guests. Setting port security to learn and automatically > whitelist the first MAC address is a simple and quick way to help you control > what gets connected on your switches.
Thanks for all the ideas and feed back. It's given me a lot to think about. _______________________________________________ mlug mailing list [email protected] https://listes.koumbit.net/cgi-bin/mailman/listinfo/mlug-listserv.mlug.ca
