Prevent my switch from giving out ip adresses to external devices

ropefly · Aug 17, 2016

hi again

First of all I'm a rookie regarding networking so sorry in advance for asking dumb questions.

My situation:

Configuring a manageable switch (Zyxel gs1900-24) for a student club room with a radius server (each student will have a individual login) and each room will have access to the internet through an ethernet cable.
If a student tries to bring a router/switch/AP/whatever from home and plugs it in with the ethernet cable it's only a matter of time before the network gets exhausted.
I want my switch to not give out ip addresses to external devices plugged in by students only to their laptop/desktop.
We're also using a pfsense attached to the switch

Limiting each port to one mac address isn't a solution I guess.

ps: I have no access to the radius server, it's being configured by a third party.

Thanks in advance !

basroil · Aug 17, 2016

That's not how it works, the switch doesn't do that. What you need to do is simply ask your third party to properly configure their router

bill001g · Aug 17, 2016

If the switch has a feature called 802.1x you can actually use the radius server to accomplish this. It is mostly used to authenticate the machines being plugged in but it also only allows a single mac per port. It generally prevents a router from being inserted because all the route manufactures know that it would defeat 802.1x and do not support it. There is a even more advanced form of 802.1x used with radius servers that require certificates to be installed on machines which is used to prevent even hacked routers from working.

It does require a special configuration on the end PC so it prompts for a userid/password when the ethnert port is activated.

ropefly · Aug 18, 2016

bill001g :

It seems out radius server doesn't have the 802.1X feature, is there any other solution ?

bill001g · Aug 18, 2016

Maybe they just don't have the feature turned on, I have yet to see a radius server that does not support 802.1x. Now some are a little hard to configure if you use things like dynamic vlan support.

It will depend what else your switch can do. What you can do on most cisco and hp switches is to only allow a single mac address. It will only accept the first mac it see. You can configure it completely block the port even to the original mac if a different mac is received. This can be configure to clear after a period of time or stay blocked until you manually set it. There are other options that just ignore other mac traffic but allow the first mac to continue.

As you mention first mac lock trick does not prevent a router from being attached. It does prevent a switch and would solve running out of IP in dhcp pool but it does not solve the increase in traffic problem. I suppose you could try to use QoS policing policies to limit the traffic rates on the edge ports but that is going to be tricky to get a good number that prevent sharing but is not so low it makes using the connection by 1 person hard.

TheKingHK · Aug 18, 2016

Couldn't something like BPDU guard be used to prevent additional switches from being connected?

bill001g · Aug 18, 2016

TheKingHK :

Most cheap consumer switches do not send out BPDU which is why you can easily loop them.

TheKingHK · Aug 18, 2016

bill001g :

Oh. I didn't know that. For some reason I assumed that every switch used spanning-tree.

bill001g · Aug 18, 2016

Luckily it is getting more common to see some basic functions like spanning tree on the smaller unmanaged devices but if you buy the no name brand they are extremely basic.

ropefly · Aug 19, 2016

bill001g :

Would it be possible to achieve my goal with pfsense ? I kinda forgot to mention we're using pfsense as well

bill001g · Aug 19, 2016

PFsense can run a radius server if that is what you mean. Otherwise pfsense just sees a bunch of mac addresses coming in on whatever port it is connected to. It really doesn't know what port they came from only the switch does. It also has no ability to see any traffic that just goes between 2 ports on the switch.

You would have to do crazy configuration like define every port on its own vlan and then use a trunk port on the pfsense. It still would not prevent someone from hooking up a router since that would only appear as a single mac address.

Search

Prevent my switch from giving out ip adresses to external devices

ropefly

Distinguished

bill001g

basroil

Glorious

bill001g

Titan

ropefly

Distinguished

bill001g

Titan

TheKingHK

Honorable

bill001g

Titan

TheKingHK

Honorable

bill001g

Titan

ropefly

Distinguished

bill001g

Titan

TRENDING THREADS

Latest posts

Moderators online

Share this page