Aruba & ProVision-based

Deny All Mac Except Allow List

 
create share
Occasional Advisor

Deny All Mac Except Allow List

Hi,

We have HP 5412Rzl2 Core and 2910 Access Switches and we need to deny all the mac addresses except all domain-connected pcs and known devices. Is it possible to achieve this kind of setup?

Thanks.

1 REPLY 1
Emil_G
HPE Pro

Re: Deny All Mac Except Allow List

Hello, 

There are different options to achieve this. Both switches support port-access options like 802.1x and mac-authentication. The port will only allow a device if 802.1x or MAC authentication using a RADIUS server is succesfull. If you use this option in user-based mode (specifying client limit) the port will allow traffic only from the MAC addresses of the authenticated devices. This is the most secure option (especially 802.1x) but it requires a RADIUS server and a user database like AD. You can find more details in the Access Security Guide (ASG) of your switch

https://support.hpe.com/hpesc/public/docDisplay?docId=a00091309en_us

A simpler option is port-security. Port security maintains a list of allowed MAC addresses on a per port basis. This list can be populated either dynamically or statically. You can specify different actions if an unauthorized MAC appears on the port, send alarm and disable it, only send alarm or none. YOu can find more about port-security here or also in the ASG.

https://techhub.hpe.com/eginfolib/networking/docs/switches/WB/15-18/5998-8152_wb_2920_asg/content/ch14s02.html

5406 supports MAC ACLs but this doesnt scale if you want to protect every single port of the switch..

Maybe local MAC authentication can also be an option if a RADIUS server is not available. It is also described in the ASG

 

 

I am an HPE employee

Accept or Kudo