LISTSERV - CLEANACCESS Archives - LISTSERV.MIAMIOH.EDU

CLEANACCESS Archives

October 2007

CLEANACCESS@LISTSERV.MIAMIOH.EDU

	LISTSERV Archives
	CLEANACCESS Home
	CLEANACCESS October 2007

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: Edge Switch Interface Configs - Aging?
From:	"King, Michael" <[log in to unmask]>
Reply To:	Cisco Clean Access Users and Administrators <[log in to unmask]>
Date:	Thu, 4 Oct 2007 09:20:11 -0400
Content-Type:	text/plain
Parts/Attachments:	text/plain (62 lines)

So, Yes.  You need the feature.  :-)

I would roll with a 5 minute timer.  They'll never get more than 4
simultaneous devices going, and that's what you state your trying to
prevent.  It's not elegant, but neither is trying to keep tabs of every
MAC they have.

-----Original Message-----
From: Cisco Clean Access Users and Administrators
[mailto:[log in to unmask]] On Behalf Of Greg Fuller
Sent: Thursday, October 04, 2007 8:54 AM
To: [log in to unmask]
Subject: Re: Edge Switch Interface Configs - Aging?

We charge a per network device connection fee for each device a student 
wants to connect.  One charge is added by default to each reshall
students 
bill, then they have to pay after that.  I picked 4 MACs as a starting 
point as students rarely have more than a computer and an xbox.  

In our previous registrtation system we were using VMPS on all 
switchports, which only allows 25 MAC addresses on a port before it err-
disables the port.  That saved us a bunch of times for those clients
NICs 
that went bad or something running on their machine that would generate 
MAC address floods to the network.  After seeing 25 MACs on a port it 
would err-disable the port and the student would have to call the 
HelpDesk, and we would fix their computer (or tell them to buy a new
NIC) 
if we saw the port was err-disabled because of a VMPS error.  

We've also had problems in the past with students configuring a static
IP 
on their machine.  Just yesterday we had a call to the HelpDesk where 
someone was setting a static IP on their machine because they thought it

would speed up their music/movie/etc downloads.  Several people on this 
persons floor did the same thing.  IP Source Guard on the switch caught
it 
and blocked traffic from that MAC address.  IPSG needs to be used in 
combination with DHCP Snooping so there is a MAC<->IP binding table that

IPSG uses to determine if your using a static IP.  

--greg

On Wed, 3 Oct 2007 16:19:55 -0400, King, Michael <[log in to unmask]>
wrote:

>I guess my question is:
>
>What is the value of port-security in a residence hall environment?
>Does your local policy prevent students from having more than 4
>computers in a single room? 
>
>It's my understanding of Port-security that it only allows X number of
>MACs to be allowed on a port.
>
>You might not need the feature that is causing you the problem.

ATOM RSS1 RSS2

LISTSERV.MIAMIOH.EDU