Cisco & Port-Security (not trying to hack it)

[Steve Thing]

Anyone know of a way to implement port-security for specific vendors on Cisco switches (2900s, 3750s, 4500s, etc)? Even though we tell our users over and over and over not to bring their wifi routers to work and plug them in, it still happens too frequently.

It's simple enough to hop on my core switch and look for certain vendor MACs, but I could be using that time improving my network instead. I'd rather try to find a way to issue a wildcard MAC filter, but I've yet to find anything useful without buying enterprise level equipment.

Thanx

[br0c07]

Why don't you just implement a maximum quantity of MAC address with port-security? This way, the port will shutdown (or ignore the new MAC address) when they plug a router or switch.

Code:

switchport port-security
switchport port-security max 1
switchport port-security violation shutdown (to shutdown the port in case of violation)
switchport port-security violation protect (ignore the new MAC address)
switchport port-security mac-address sticky (if you want to hard code the MAC address actually in use on the port)

I don't think it's possible to issue any kind of wildcard filter with port-security. You could do a VLAN-ACL blocking all the MAC addresses you don't want but it will be time consuming!! Restricting the number of MAC addresses with port-security as above is a lot easier.

HTH

[Steve Thing]

That's what I have been doing, but my bosses are tired of everyone complaining everytime they want to move a PC from one office to another. Personally, I could care less. Because of that, I've been told to remove port security and find a "better" solution.

Kinda hard to explain to a non-Tech savvy boss when he doesn't understand basic networking concepts.

I didn't think there was a way, but I figured I'd ask. The only thing I think I can do is purchase a Cisco CND server and setup some layer 2/3 monitoring. It's just expensive.

Thanx for your time none the less.

[lupin]

You should probably be asking this question at a Cisco forum, you will get better responses.

My partial answer to your problem would be to discipline any staff member you catch bringing in their own wifi router, however Im going to guess from what you have already said that there would be no support for that. The most basic thing you should have in place before you can properly secure any organisation is a clear and enforceable policy, without that you don't have much of a hope.

[Lincoln]

Lupin is correct on enforcing the security policy, or it's never going to work. Awhile ago I upgraded a building and the project manager wanted to implement port security. The building was ran by a "volunteer IT department", and of course they were not happy with the new changes at first.

After going live, I probably was receiving 10-20 err-disabled ports a day. This became frustrating not only to manually reset them (at the time I didn't know about the err-disable recovery feature lol), but also no one from the their department would report it.

We came up with a solution to set the timer to 5 minutes (which is the default anyways) to re-enable the port automatically if there was a violation. We also added a banner to the computer prompting the user that the port would automatically disable and contact the IT department if it had been tampered or plugged into another device. Within a day all the issues stopped, and there hasn't been a problem since.

Occasionally we get the request to add multiple MAC's to one port for floating PC's or printers but everyone is now happy with the solution. If you can get everyone on board, it will work fine.

[br0c07]

That's what I have been doing, but my bosses are tired of everyone complaining everytime they want to move a PC from one office to another.

In this case, do not use the "sticky" setting for the MAC address. Just set it up for a maximum address of one. This way you don't have a problem when the computer is moved and connected to another switchport but when they plug a router, it will only allow one MAC (the router) and not the computer.

You should probably be asking this question at a Cisco forum, you will get better responses.

I've been a passive member of this forum for a few months now, it feels good to be able to contribute in some ways. I don't feel like I am good enough with Backtrack to offer help just yet (especially compared to guys like you!) but cisco most definitely

[lupin]

I've been a passive member of this forum for a few months now, it feels good to be able to contribute in some ways. I don't feel like I am good enough with Backtrack to offer help just yet (especially compared to guys like you!) but cisco most definitely

I wasn't saying that your earlier response was bad, I was just saying that more Cisco experts probably hang around at Cisco forums as opposed to here, and that would increase the general response quality.

[br0c07]

I wasn't saying that your earlier response was bad, I was just saying that more Cisco experts probably hang around at Cisco forums as opposed to here, and that would increase the general response quality.

I agree and I didn't want to imply that you said my answer was bad, it didn't even cross my minds until now! I only meant to say I was happy to contribute as a "payback" for all the many helpful tips found reading posts from guys like you in this forum.

[lupin]

I agree and I didn't want to imply that you said my answer was bad, it didn't even cross my minds until now! I only meant to say I was happy to contribute as a "payback" for all the many helpful tips found reading posts from guys like you in this forum.

Didn't think so, but I was just making sure. The number of posts I make here as a moderator can result in me being a little abrupt sometimes, so I just wanted to make sure I wasn't coming off as ungrateful or anything. Myself (and the other Moderators and Admins Im sure) do appreciate it when people contribute here - it makes the forum a more useful resource for everyone.

[br0c07]

No worries, I have seen the number of "help me crack my neighbour wifi" posts you have to deal with every days so I don't blame you for being abrupt!

The way this forum is moderated is one of the think I like the most about it as it makes it a lot easier to find the right offensive security related information without having to trawl through useless posts.