|
Posted by anoop on November 20, 2007, 1:53 pm
On Nov 19, 11:05 pm, rober...@hushmail.com (Walter Roberson) wrote:
Walter,
Thanks for the response.
> Right. What I used to do was SNMP monitor the switch forwarding
> tables; the "movement" would be noticed in the MAC to port database
> the next time the summarization was run. I had a list of "expected"
> MACs per non-trunk port, and any MAC showing up where it wasn't
> expected in the summarization was immediately emailed to me. The
> database knew which port was allocated to which room, and which
> MAC belonged to which computer, and I had information about which
> computer belonged to which person, so when there was a movement
> reported, I would look to see whether the movement was
> "reasonable" (e.g., the person moved to the other jack in the
> same room, or moved one of the lab devices to another lab).
> Previously unregistered MACs or unexpected movements were
> questioned.
How often was the summarization run?
> The hard part in all of this was not in developing the software
> or the initial databases, which merely took time and some
> creativity to figure out the varieties of lies different switch
> models were prone to: The hard part in all of this was getting
> the various group sub-administrators to tell me when new computers
> were added. Try to get them to periodically send a list of new
> IPs, hostnames, owners and MACs... the most basic of information
> for network maintenance, but even going to their boss's boss usually
> didn't have much effect :( I tell ya, MAC-level lock-downs on
> the switches were considered more than once!
Correct me if I'm wrong, but MAC-level lockdown pretty much
works like an ACL, so you would have to know the MAC address
of every single device in your network. And how would something
like that work in a mobile environment - person with laptop moves
from cafeteria to conference room to desk?
Anoop
| 
Yahoo! 
Google 
Windows Live 
del.icio.us 
digg 
Netscape 
XML site map