My company wanted to prevent rogue PCs from being connected to our network as our server room was shared between us and our clients in one of our sites. Network access was allowed only for our company users and specifically for PCs that are provided by the company.
802.1x was not an option because we were not able to implement Radius server in that site.
Port security was also not an option as the our users had to move between different offices from time to time.
I have suggested MAC ACL to be implemented on our access switches as we are aware of our PCs MAC addresses that are allowed on our network.
the thing is I have tested this MAC address ACL on the switch that I am connected to to allow only my PC and IP phone on that port.
when I connected a different laptop (considered as rogue PC) to the same port it was able to get an IP from the our DHCP server which we also want to prevent to happen.
my configuration was :
STA6-2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
STA6-2(config)#mac access-list extended TEST
STA6-2(config-ext-macl)#permit host a048.1c8f.22df any
STA6-2(config-ext-macl)#permit host 2C3E.CF7B.A2B9 any
STA6-2(config-ext-macl)#exit
STA6-2(config)#exit
STA6-2(config)#interface fa
STA6-2(config)#interface fastEthernet 0/19
STA6-2(config-if)#ma
STA6-2(config-if)#mac
STA6-2(config-if)#mac acc
STA6-2(config-if)#mac access-group TEST in
STA6-2#show access-lists
Extended MAC access list TEST
permit host a048.1c8f.22df any (2 matches)
permit host 2c3e.cf7b.a2b9 any
Kindly give me your feed back on the same and how to implement a proper MAC ACL to allow only a specific MAC addresses from having any communication with any resource on our network.
