Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Port security MAC Sticky Whitelist

Banfield75
Getting noticed
‎Aug 25 2021 4:02 AM
‎Aug 25 2021 4:02 AM

Port security MAC Sticky Whitelist

Hi 

 

I´m working with a small customer and we are looking to a simple switch port protection.

We don´t have any layer 1 connection to the ports that isn’t used in the building. 

But we would like to have a simple MAC port protection against changing of device.

 

The function Sticky MAC seem interested.

You can apply the feature per port, put a allow value and let the and system monitor for a couple days.

Check the mac addresses connected to the port.

Change allowed value and give a name on the devices connected to the port.

 

Anyone who can share experiences. Good or bad…

How does it work with a hub?

 

Best Regard Daniel

0 Kudos
Subscribe
2 Replies 2
KarstenI
Kind of a big deal
Kind of a big deal
‎Aug 25 2021 4:53 AM
‎Aug 25 2021 4:53 AM

As always, it depends. For a baseline security to make sure only the intended good-natured device will connect to that port, it will be ok. But if you have someone with bad intent on that port, he will directly change his MAC-address to one of the allowed ones and goes through.

If you need a higher degree of security, 802.1X is the solution. But this is not implemented as easy as sticky MACs are.

 

And hubs? You mean the devices that were sold in the previous millennium? Well, hopefully you don't have any of these in your network any more. But just theoretically, all devices on the hub would be visible on the switch port and only the allowed ones can communicate.

Subscribe
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Aug 25 2021 6:11 PM
‎Aug 25 2021 6:11 PM

Another strong option is to use 802.1x.  You wouldn't want hubs in your network if you want security, but you would always disable 802.1x for a port going to a hub (so there is no protection).

 

You can then authenticate a machine against AD, or even use Meraki Authentication if they are small.

https://documentation.meraki.com/MS/Access_Control/MS_Switch_Access_Policies_(802.1X) 

 

 

802.1x is the "gold" standard.

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.