Meraki

Community

Port security MAC Sticky Whitelist

Banfield75
Getting noticed
‎Aug 25 2021 4:02 AM
‎Aug 25 2021 4:02 AM

Port security MAC Sticky Whitelist

Hi 

 

I´m working with a small customer and we are looking to a simple switch port protection.

We don´t have any layer 1 connection to the ports that isn’t used in the building. 

But we would like to have a simple MAC port protection against changing of device.

 

The function Sticky MAC seem interested.

You can apply the feature per port, put a allow value and let the and system monitor for a couple days.

Check the mac addresses connected to the port.

Change allowed value and give a name on the devices connected to the port.

 

Anyone who can share experiences. Good or bad…

How does it work with a hub?

 

Best Regard Daniel

0 Kudos
2 Replies 2
KarstenI
Kind of a big deal
Kind of a big deal
‎Aug 25 2021 4:53 AM
‎Aug 25 2021 4:53 AM

As always, it depends. For a baseline security to make sure only the intended good-natured device will connect to that port, it will be ok. But if you have someone with bad intent on that port, he will directly change his MAC-address to one of the allowed ones and goes through.

If you need a higher degree of security, 802.1X is the solution. But this is not implemented as easy as sticky MACs are.

 

And hubs? You mean the devices that were sold in the previous millennium? Well, hopefully you don't have any of these in your network any more. But just theoretically, all devices on the hub would be visible on the switch port and only the allowed ones can communicate.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Aug 25 2021 6:11 PM
‎Aug 25 2021 6:11 PM

Another strong option is to use 802.1x.  You wouldn't want hubs in your network if you want security, but you would always disable 802.1x for a port going to a hub (so there is no protection).

 

You can then authenticate a machine against AD, or even use Meraki Authentication if they are small.

https://documentation.meraki.com/MS/Access_Control/MS_Switch_Access_Policies_(802.1X) 

 

 

802.1x is the "gold" standard.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.