https://community.hpe.com/t5/switches-hubs-and-modems/automating-mac-lockout/m-p/4529698#M20433 thanks for the discussion. Looks like I will need to continue with manual lockout until I get IDM up and running. I was hoping there would be an easy way to restrict port access to a known mac addresses when the device became active on the network. Port security would have been my first choice but there doesn't appear to be a way to automatically clear the flag and return the port for use when the original device was plugged back in. Wed, 11 Nov 2009 20:38:27 GMT Dave Henley 2009-11-11T20:38:27Z https://community.hpe.com/t5/switches-hubs-and-modems/automating-mac-lockout/m-p/4529690#M20425 Is it possible to create a policy in PCM+ 3.0 that will automatically Lockout a known mac address on a group of 5400 switches when connected then automatically UnLock the port after a given time period? <BR /> Sat, 07 Nov 2009 17:52:03 GMT https://community.hpe.com/t5/switches-hubs-and-modems/automating-mac-lockout/m-p/4529690#M20425 Dave Henley 2009-11-07T17:52:03Z https://community.hpe.com/t5/switches-hubs-and-modems/automating-mac-lockout/m-p/4529691#M20426 This should be possible, but i'm not 100% sure if this roll-back function is part of network Immunity Manager 2.0 or already available in PCM+ 3.0. Check if you can create the Mac lock-out action in the policy manager.<BR /><BR />You can test by downloading the 60 day trial from the procurve website.<BR /><BR /> Mon, 09 Nov 2009 08:30:09 GMT https://community.hpe.com/t5/switches-hubs-and-modems/automating-mac-lockout/m-p/4529691#M20426 Sietze Reitsma 2009-11-09T08:30:09Z https://community.hpe.com/t5/switches-hubs-and-modems/automating-mac-lockout/m-p/4529692#M20427 I already have PCM+ 3.0 and the mac lockout option is available for use in the Policy Manager. <BR /><BR />I have looked at the events entry but do not see anything that records the mac address of a device connecting to a switch. Is there a log file that shows more detailed information?<BR /> Mon, 09 Nov 2009 14:27:43 GMT https://community.hpe.com/t5/switches-hubs-and-modems/automating-mac-lockout/m-p/4529692#M20427 Dave Henley 2009-11-09T14:27:43Z https://community.hpe.com/t5/switches-hubs-and-modems/automating-mac-lockout/m-p/4529693#M20428 only way i can see at the moment is to trigger a mac lockout by a trap. If the event contains the mac address then you can create a policy which captures this mac address for the mac lock-out action. In that case you can create a time based roll-back in the policy, for example one hour.<BR /><BR />So in the case of NIM 2.0, you have several triggers like NBAD (Network Behavior Anomaly Detection), external IPS/IDS, or other applications which can be used to perform actions like Mac-lockout, rate limiting or configuring vlans.<BR /><BR /> Tue, 10 Nov 2009 00:49:02 GMT https://community.hpe.com/t5/switches-hubs-and-modems/automating-mac-lockout/m-p/4529693#M20428 Sietze Reitsma 2009-11-10T00:49:02Z https://community.hpe.com/t5/switches-hubs-and-modems/automating-mac-lockout/m-p/4529694#M20429 The problem appears to center around getting a mac address to be registered in an event when a device becomes active on a switch. What type of activity would cause an event and record a mac address? Tue, 10 Nov 2009 04:26:48 GMT https://community.hpe.com/t5/switches-hubs-and-modems/automating-mac-lockout/m-p/4529694#M20429 Dave Henley 2009-11-10T04:26:48Z https://community.hpe.com/t5/switches-hubs-and-modems/automating-mac-lockout/m-p/4529695#M20430 Traps from the switch like portsecurity, dhcp snooping, arp spoofing and NIM events. <BR /><BR />Reading: <A href="http://h40060.www4.hp.com/procurve/uk/en/pdfs/application-notes/AN-S16_ProCurve-NIM-policy-mgmt-final-093008.pdf" target="_blank">http://h40060.www4.hp.com/procurve/uk/en/pdfs/application-notes/AN-S16_ProCurve-NIM-policy-mgmt-final-093008.pdf</A><BR /><BR /><A href="http://www.procurve.com/NR/rdonlyres/4C3E6B65-86EA-4436-AEED-ADCF4AA75EBB/0/NetworkImmunityManagerEventInterpretationTechBrief_Dec_07_WW_Eng_A4.pdf?jumpid=reg_R1002_USEN" target="_blank">http://www.procurve.com/NR/rdonlyres/4C3E6B65-86EA-4436-AEED-ADCF4AA75EBB/0/NetworkImmunityManagerEventInterpretationTechBrief_Dec_07_WW_Eng_A4.pdf?jumpid=reg_R1002_USEN</A><BR /><BR />If you clarify what your goal is, then we can search for a solution.<BR /><BR /> Wed, 11 Nov 2009 00:28:16 GMT https://community.hpe.com/t5/switches-hubs-and-modems/automating-mac-lockout/m-p/4529695#M20430 Sietze Reitsma 2009-11-11T00:28:16Z https://community.hpe.com/t5/switches-hubs-and-modems/automating-mac-lockout/m-p/4529696#M20431 thanks for keeping up with this. The goal is to lockout a device with a known mac address when that device is plugged into the network and then unlockout after a specified time period. <BR /><BR />or, be able to automatically enable a port in a specified time period after the number of devices that can attach to a port has been exceeded.<BR /><BR />Similar to specifying the number of devices that can attach to a switch port before an action is taken. Problem with this approach is I have to manually remove the flag and enable the port.<BR /><BR /> Wed, 11 Nov 2009 14:28:30 GMT https://community.hpe.com/t5/switches-hubs-and-modems/automating-mac-lockout/m-p/4529696#M20431 Dave Henley 2009-11-11T14:28:30Z https://community.hpe.com/t5/switches-hubs-and-modems/automating-mac-lockout/m-p/4529697#M20432 &gt;thanks for keeping up with this. The goal is to lockout a device with a known mac address when that device is plugged into the network and then unlockout after a specified time period. <BR /><BR />answ: at the moment a little complicated to create, but it should be possible in the future with a new enhanced scripting engine in PCM3. For now you can manual enable and disable mac lockout. <BR /><BR /><BR /><BR />or, be able to automatically enable a port in a specified time period after the number of devices that can attach to a port has been exceeded. <BR /><BR />answ: maybe port security can help with a continous learnmode of a number of max clients<BR />switch (config)# port-security 1 address-limit 8 learnmode limited continuous<BR /><BR />The 9th client will be disabled. <BR /><BR /><BR />Similar to specifying the number of devices that can attach to a switch port before an action is taken. Problem with this approach is I have to manually remove the flag and enable the port. <BR /><BR />answ: see response to your 2nd question<BR /><BR />Maybe another idea is to use mac authentication. In this case only registered mac adresses are allowed and unwanted mac adresses can be moved to a policy with less bandwith and/or restricted resource availability. Like internet only. unknown adresses are handled in a separate part of the network or not granted for access.<BR /><BR />Sietze<BR /><BR /> Wed, 11 Nov 2009 20:05:13 GMT https://community.hpe.com/t5/switches-hubs-and-modems/automating-mac-lockout/m-p/4529697#M20432 Sietze Reitsma 2009-11-11T20:05:13Z https://community.hpe.com/t5/switches-hubs-and-modems/automating-mac-lockout/m-p/4529698#M20433 thanks for the discussion. Looks like I will need to continue with manual lockout until I get IDM up and running. I was hoping there would be an easy way to restrict port access to a known mac addresses when the device became active on the network. Port security would have been my first choice but there doesn't appear to be a way to automatically clear the flag and return the port for use when the original device was plugged back in. Wed, 11 Nov 2009 20:38:27 GMT https://community.hpe.com/t5/switches-hubs-and-modems/automating-mac-lockout/m-p/4529698#M20433 Dave Henley 2009-11-11T20:38:27Z