Re: Blocking a MAC address at the router
- From: DigitalVinyl <DigitalVinyl@xxxxxxxxxxxx>
- Date: Tue, 29 Nov 2005 19:36:56 GMT
roberson@xxxxxxxxxxxxxxxxxx (Walter Roberson) wrote:
>In article <jtqoo1djarvcqau1ubea18opckihr2m8dr@xxxxxxx>,
>DigitalVinyl <reader@xxxxxxxxxxxx> wrote:
>>ANybody have a simple method for blocking a MAC address or (less
>>effective) an IP address. We don't want to amend ACLs becuase laptop
>>can move from network to network.
>
>>Basically I'm looking for the simplest method for blocking
>>virus/worm/trojan/spyware infected PCs. We have a honeypot log that
>>tells us the IP address but it is time consuming to track the PC down,
>>both logically on the switches and then dispatching desktop support to
>>track down the person/laptop and fix them.
>
>>I'd prefer to block the MAC addresses at the three major routing nodes
>>and eliminate their ability to use the network. This would protect us
>>and force them to contact tech services. Our major routing nodes host
>>the routing interfaces on most of the networks. So if I can block the
>>MACs there it will work fairly well. We have too many switches(200+)
>>to do anything there
>
>Some switches are able to get MAC security information via RADIUS.
>This is not exactly the same mechanism as the 802.1x that the other poster
>suggested -- this generally predates 802.1x.
>
>At the IP level, you could use 'shun' on the PIX you have mentioned
>in other postings. But as you point out, that doesn't work well if the
>IP address changes.
Actually these PCs attack internal networks as well as the Internet,
so we need protection at internal routing points as well.
>When the IP address changes, probably the PCs are DHCP'ing for an IP
>address. Your DHCP server could be managing a block table, since the
>DHCP server is given the MAC address.
Users moving laptops around between buildings will get differnet
addresss. Because of our size and layout there are at least 12 DHCP
servers. So blocking them on all would be administratively painful.
Also the DHCP are not within our full control, so that puts work onto
a different group. We're looking to keep the solution within the
network group and desktop support.
>If your routers have firewall support, you might be able to work something
>at the MAC level using NBAR.
No. The only thing I've come up with, which looks like a reaosnable
soltuion is mac-address-table static drops.
"To block all traffic to or from the configured MAC address in the
specified VLAN. "
Router(config)# mac-address-table static mac_address vlan vlan_ID drop
There is a subset of equal rights VLANs that we could predict a laptop
would move to. We could set DROPs on a few vlans and cover most of the
networks a MAC might reappear. We could could install these drops on
5 routers and cover most of our main location. I also like that these
are not INTERFACE context commands. So when you do a SHOW CONF all the
blocks would be displayed together. That makes it easy to audit. And
it only involves our routers and relies on no other technologies or
devices.
DiGiTAL_ViNYL (no email)
.
- Follow-Ups:
- Re: Blocking a MAC address at the router
- From: ETLALAR
- Re: Blocking a MAC address at the router
- References:
- Blocking a MAC address at the router
- From: DigitalVinyl
- Re: Blocking a MAC address at the router
- From: Walter Roberson
- Blocking a MAC address at the router
- Prev by Date: Re: Blocking a MAC address at the router
- Next by Date: Re: port flapping
- Previous by thread: Re: Blocking a MAC address at the router
- Next by thread: Re: Blocking a MAC address at the router
- Index(es):
Relevant Pages
|
