Tech Support Guy banner
Status
Not open for further replies.

Pros and Cons of MAC locking

3K views 11 replies 6 participants last post by  JohnWill 
#1 ·
Hi all...

I am planning to implement MAC learning and locking mechanism on all my switches (at least those that support it), as the problem users arbitrarily plugging in their notebooks on the company's network is fast becoming a nightmare.

802.1x solution isn't an option right now for that would require some testing and configuration and the need is urgent.

One issue is, helpdesk informs me that they have to change machines within the building, within an average of 3-4 daily spread over different floors. That would make mac locking a bit of an headache for them as they will have to renable learning and locking on daily basis.

Any advise to overcome this nightmare!!??
 
#6 ·
You should be able to setup your DHCP server to give out addresses to only certain MAC addresses. I know people could still kind of get around this by changing their MAC address but that would probably cause duplicate IP addresses on the network if you assign a certain IP address to each MAC address.
 
#7 ·
Squashman's right... Setting up DHCP Reservations will cause the DHCP server to assign the same IP to each MAC address. And if you can narrow down the scope of the server to exactly how many (legal) machines you have on the network, then this would work great....
 
#8 ·
I'm with JohnWill. Set a policy. How is this different than people using the company phone to call their friends or family in Europe?

Sure, you can implement a technical solution to this, but you're wasting money and continuing to employ people who will be ticked off and looking to break policy wherever they can.
 
#9 ·
A proxy server would probably work as well but, an Acceptable Use Policy should be implemented on your network. Every company I have worked for in the past 5 years has made all their employees sign one.

When I worked for the school district, the teachers and students had to follow the same rules for acceptable internet and comptuer use. Nobody was exempt.
 
#11 ·
Policies are there but then haven't seen a place where an equal stress on controls isn't laid upon.

"Thou shalt not"... didn't work with the companions of Porphet Moses and they reneged on the covenant....who are we in this age? ;0)

John, people do make personal calls on the phone, but that doesn't make me kill my time trying to put them right, plugging devices into the network, bothers my scope of work.

So I just thought, I might be better off putting a control in place that would stop users at the first step.

Defining MAC on DHCP would be a cumbersome job as I have around 1500 users.

I was wondering..is MAC learning dynamic and flows across the ARP tables. I mean, let's say, I put one Switch with MAC learning/locking disabled, at the Service Lab where all the new computers gets configured before being given to users. This lab will see all the new PC's and their MAC stored into this Switch's ARP table.

When this PC gets shifted to another room and another switch at the back end, wouldn't this switch see this PC, as a genuine one because it has already been legitimately put on the network somewhere else??
 
Status
Not open for further replies.
You have insufficient privileges to reply here.
Top