ProCurve 2610 MAC Lockdown

vipes27 · ‎07-21-2009

We have 2 ProCurve switches, a 2610-48-PWR and a 2610-24-PWR. I want to lock down the ports to allow only the MAC addresses that we choose to connect to the switches. If it is not an approved MAC address, it would not be able to connect. Is this possible? I thought I read in the specs that it is, but haven't been able to figure it out. Any help would be appreciated.

Thanks.

cenk sasmaztin · ‎07-21-2009

yes jeff it is possible

if you want make this operation you can use 3 way

1-classic mac lockdown with static-mac commad

edgeswitch(config)# static-mac
MAC-ADDR Enter MAC address for the 'static-mac'
command/parameter.
edgeswitch(config)# static-mac (mac-address)

you can write each port one by one authorized mac address

very exhaustive

2-learning switch with one commad all mac address on port with port security

edgeswitch(config)# port-security 1-23 address-limit 1 learn-mode static action
send-disable

with this command all port learn dynamically each mac address on port and only one mac address permision and if connect any other mac address on port port turn disable status

3-802.1x mac authentication

very secure and very flexible
802.1x operation running with radius server
any client connect any port with mac authentication
if connect request authorized mac address radius server approve connection on switch port

cenk

vipes27 · ‎07-21-2009

Thanks so much for your reply, that was great. Do you type those commands in the config file for the switch? I was sort of confused on that.

This is a little different question, but are you able to configure a specific port to only allow internet connection and no network access? Would that have to be a seperate VLAN?

Thanks again for your help.

cenk sasmaztin · ‎07-21-2009

hi Jeff

if use only two procurve switch
I recomended you must make option 2

so

2-learning switch with one commad all mac address on port with port security

edgeswitch(config)# port-security 1-23 address-limit 1 learn-mode static action
send-disable

with this command all port learn dynamically each mac address on port and only one mac address permision and if connect any other mac address on port port turn disable status

very easy command
please test your 2610-24 switch

(config)# port-security 1-23 address-limit 1 learn-mode static action send-disable

switch learn dynamically at the moment connection mac address on port and this mac address sensible authorized mac address
if connect any other mac address on this port port is trun disable state

you must be turn port enable state with manuel command
(eth-13)# enable

in this way unauthorized pc unable connect your switch

important note:on uplink port (switch to switch ) don't port security config

your questions

yes it is possible
each port able sperate other port with
source port filter command
no need vlan
config)# filter source-port 1 drop 2-23
with this command port 1 between port 2 to 23 connection drop port 1 permit connection only interface 24 if you connect interface 24 internet router port 1 user only comminication internet router unable connection other pc

cenk

vipes27 · ‎07-21-2009

Thanks again for your reply. If I understand you right, #2 allows you to have list of approved MAC addresses and if not one listed, the port will be turned off. Is that correct, or do you have to have a certain MAC address in a certain port? Also, where do you add this command at? In the switches config file.

Thanks again.

arenaskevin · ‎05-25-2016

Sir Cenk can i use both ? Mac Lockdown and DHCP Snooping?

ProCurve 2610 MAC Lockdown

ProCurve 2610 MAC Lockdown

Re: ProCurve 2610 MAC Lockdown

Re: ProCurve 2610 MAC Lockdown

Re: ProCurve 2610 MAC Lockdown

Re: ProCurve 2610 MAC Lockdown

Re: ProCurve 2610 MAC Lockdown

Hewlett Packard Enterprise International