The only access I have to do network configuration for ports under my control is via a custom campus written web application. For each port I can configure things like rate, duplex setting, and what vlan it is on. This system has been in place for nearly two years, and just last month they finally made it possible to lock specific jacks to specific MAC addresses.
Tangent: MAC address filtering is not secure in and of itself. Spoofing the MAC address a card responds to is possible with pretty much every network card and OS I have used in the past several years; it can even be done in the bios on some motherboards. It is however quite an effective deterrant against casual attempts to hook non-sanctioned equipment.
Now this new feature only allows you to lock a single port to a single MAC address. This is a useful thing for most systems administrators on campus. Being able to limit which computers professors plug into the network jack in their office will most definitely improve the overall well being of campus networks. I had hoped however for a system where I could setup lists of addresses and I could specify that a port should be restricted to one of the lists (the simplest form of course being a single address being locked to a single port). My hopes however were dashed with the last section of the introductory document announcing the MAC address locking feature.
It seems the campus-wide network architecure team feels there are political and logistical reasons (which they choose not to share) not to provide list based locking. The only explanation they provide is that it is better network design to provide each device with its own jack (this is a concept I do generally agree with).
Clearly the campus-wide network architecture team needs some more creative thinkers on it. I can think of a few situations where it would be useful.
My lab solves serious workstation troubles (be them software or hardware) by replacing the problem machine with a spare sitting in the closet. Without having a list the person doing the replacing would need to be able to access the configuration application to change what MAC address is locked to that port (and this can't be done as the lab assistants that would be doing the replacing do not have the technical knowledge to use the tool safely).
I partially manage the ports in several public classrooms. I would like to restrict use of those ports to my collection of laptops that instructors may borrow.
A faculty member wishes to be able to use their laptop in their office. It's not worth installing a second physical jack for this occassional use, but the sysadmin still wishes to limit the jack to only the desktop and laptop.
I am annoyed at this mostly because of what should be possible, and not by what I actually need now. I have much bigger fish to fry before I get around to MAC address locking at the switch.
