How to implement network wide MAC filtering on a wired network

[Alex2018]

Hello

This is my fisrt post on this forum, although I have spent a fair bit of time reading and learning on here.
If this is not the right place or there is a better place to post this please let me know.

I have a small network of building controls equipment connected to Zyxel GS2210 managed switches that a customer wants to implement mac filtering on. The specification says: MAC filtering shal be implemented to restrict connections to known devices accross the network. The list of known devices shal be centrally managed from a management software package or list.

I am at a bit of a loss on where to start looking or who to speak to to get that to work. There are a long list of network management software packages out there but few are reasonably priced or give any real indication on exact features available and if they are easy enough to manage once installed, the customers building engineers (read that as "people who can type with two fingers and find the power button but not much else") need to be able to maintain this.

Any suggestions or nudges in the right direction will be much appreciated.

 

[ColinTaylor]

read that as "people who can type with two fingers and find the power button but not much else"

Looking at the specifications for that switch it appears to have a lot of security already built into it, including "Layer 2 MAC filtering". Which specific model do you have, because there are quite a few variations? Chapter 12 of the manual mentions how to do MAC filtering. But the entire interface is designed for network professionals, not people that only have "two fingers" . I'm not sure there's an "idiot's interface".

 

[Alex2018]

I'm afraid my spelling/typing is not that great at speed. I suspect they got shall and across right in the actual specification as word would have spell checked it. Not that it excuses putting in a requirement without any idea of if it's possible for anyone to actually deliver it.

The switches are Zyxel GS2210 with version 4.5 firmware. If that helps.

I could work through local mac filtering on the switch myself (I feel the urge to buy and issue a few usb lan ports approaching, they can then manage the physical access to those for guest engineers) but getting a centrally managed list does not seem to be that easy, in this method anyway. I'm trying to get the ZON software downloaded to see what that can do. I might have to ban the two fingered engineers from touching it but still need to try to get as close to what was written as possible.

 

[ColinTaylor]

Sorry about the spelling jibe, I initially thought you had done a copy and paste from the specifications .

The ZON software looks like the way to go although I've never used it myself (maybe other forum members can chime in). The only other alternative seems to be a generic network management tool based on SNMP. But I doubt it would be particularly user friendly.

 

[Alex2018]

haha. no problem. I'm not that sensitive about my spelling. I just get annoyed at myself when I don't re-read things properly.

ZON software is now installed and honestly it's just about useless. It discovers the switches and displays a list, can update firmware and IP addressing but that seems to be about it.
Coudl you point me in the direction of any of the generic SNMP management tools? I have found Solarwinds network configuration manager so far, just off to find prices and someone who knows how it works and if it can do what we need, hopefully.

 

[sfx2000]

MAC filtering shal be implemented to restrict connections to known devices accross the network. The list of known devices shal be centrally managed from a management software package or list.

Sounds like 802.1x access control - if the customer site has Active Directory in place, that's a place to start...

The switches should not be the catalog of devices, but should apply policy treatment as indicated by a policy profile..

 

[Alex2018]

Sounds like 802.1x access control - if the customer site has Active Directory in place, that's a place to start...

The switches should not be the catalog of devices, but should apply policy treatment as indicated by a policy profile..

Now that looks like just about exactly what we need. My head hurts from the rather fast google powered crash course I've just taken.
Thank you for the suggestion.

I suspect someone is going to have to hire a real network person first to make it work and then to pop in every few months to maintain it though.

 

[ColinTaylor]

What kind of "building controls equipment" is it? If it's PC's that already log into Active Directory then 802.1x is fairly straight forward. If it's some industrial black-box it could be more challenging.

 

[Alex2018]

What kind of "building controls equipment" is it? If it's PC's that already log into Active Directory then 802.1x is fairly straight forward. If it's some industrial black-box it could be more challenging.

Black boxes mainly (Centraline HAWK 6E units) and a few laptops. It's the laptops we need to control as the building management company does not always check that engineers turning up on site are qualified and we've had trouble with them just doing whatever they needed for their isolated function and not understanding the impact on the rest of the building.

There is no current Active Directory but there is a Windows 2012 server running on the network doing virtually nothing. It appears possible to set the authentication server to use the MAC address of the device plugging in as both the username and password. I think that it's above my level of networking/IT expertise right now though so will look for someone to get it going for us. At least I can explain exactly what we want which makes it a bit more likeley that we will end up with a working solution. Unless I can bump this untill September when I will have a few weeks of "quiet time" in which case I'll learn to do it and have the time to put it in carefully at my own pace without breaking anything.