Slashdot Mirror

← Back to Stories (view on slashdot.org)

How Do You Handle Ethernet Port Management?

Posted by ryuzaki0 on from the that-thing-that-looks-like-a-phone-jack dept.

MTL-Stalker asks: "I am currently investigating the best way to handle Ethernet port management for an organization with over 75,000 Ethernet ports spread out over 700+ sites. I was wondering how members of the Slashdot community are handling this issue in their organizations? Obviously this is as much a business process issue as a technological solution. In today's threat-filled networks, it seems like asking for trouble to rely on a simple switch based 'port enabled/port disabled' methodology. Do you think Cisco-style port security (tying a MAC address to a particular port) or PACLs (port access control lists) are worth the effort? Are products like Cisco Campus Manager or HP OpenView worth the cost and deployment headaches? Do they address your security concerns? How many of you are using homegrown scripting and/or SNMP solutions? How many ports can you effectively manage with these solutions? I would also be interested in knowing what industries these solutions are being implemented in."

5 of 133 comments (clear)

  1. What about 802.1x security ? by CineK · · Score: 3, Interesting

    This way you could tie particular users to their VLANs, not the machines to the ports, which can be quite annoying when a user wants to change his/her desk.

    802.1x should be combined with some decent endpoint security solution
    (see recent Gartner reports on this)

    HTH

    Marcin

    --
    -- echo '[q]sa[ln0=aln256%Pln256/snlbx]sb31350717901017685 42287578439snlbxq'|dc
    1. Re:What about 802.1x security ? by maxhead · · Score: 3, Interesting

      Actually, you do not necessarily have to replace the access layer switches to enjoy dot1x. Placing a dot1x-capable switch upstream that supports mulitple logins on a single port can be an intermediate step and bring most the benefits.

      In general, I advise customers to lock down every port in their network with 802.1x and to provision guest VLANs that are GRE-tunneled to a switch in the DMZ. This segregates all the guest traffic from corp traffic at L2 so the only way for a guest to access local corp servers is via the internet and back through the corp firewall rules.

  2. RADIUS by Lehk228 · · Score: 3, Interesting

    i would suggest using a RADIUS login to manage user access

    since RADIUS was originally designed for ISP's managing users it is good dealing with hostile clients and other riffraff as long as you are on a switched network

    --
    Snowden and Manning are heroes.
  3. Netdisco by arnie_apesacrappin · · Score: 4, Interesting
    As far as port management goes, you may want to look at Netdisco. If I recall correctly, UC Santa Cruz was using it to manage about 20K ports. It's open source, so you so should be able to customize it for your environment. I haven't run it personally, but the demo looks impressive.

    When considering how to secure the ports, I think you have to find the balance between security and functionality. If you lock down each MAC to a specific port, how much time will you spend managing it? Whenever there is a connectivity problem, will you have to fight with the other groups assuring them that it isn't the network?

    As a final thought, you generally get out of a network management system what you put into it. With a network as large as yours, there isn't a silver bullet to fix all of your problems. Whether you customize, roll your own or use vanilla off the shelf software, you need to figure out what makes the most sense for your business. Good luck. It sounds like you need it.

    --

    Still, with a plan, you only get the best you can imagine. I'd always hoped for something better than that. -CP

  4. Poorly by Sycraft-fu · · Score: 3, Interesting

    Well, that's the truth for our orignization. You don't want ot know how we do it. What you should look at for that scale, is probably dynamic VLANs. Cisco has good solutions, I'm sure you can find vendor neutral ones as well, but I'm the kind of guy who will push a Cisco solution in general. At any rate the basic idea is that when soemthing gets connected it's MAC is checked and then a VLAN is assigned to the port based on it. So no matter where a computer is connected, it's in the same area network and security wise. This also means that unauthorized computers can be put in a nothing VLAN with no access.

    It's not a magic bullet security wise, but it really makes management easy. You want all your engineers in a given VLAN, just assign their MACs to it. Then if one goes to a new office and nobody tells you, doesn't matter the hardware takes care of it for you.