Community
Aruba & ProVision-based
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ProCurve 2610 MAC Lockdown

 
SOLVED
Go to solution
vipes27
vipes27
Occasional Advisor

‎07-21-2009 08:16 AM

‎07-21-2009 08:16 AM

ProCurve 2610 MAC Lockdown

We have 2 ProCurve switches, a 2610-48-PWR and a 2610-24-PWR. I want to lock down the ports to allow only the MAC addresses that we choose to connect to the switches. If it is not an approved MAC address, it would not be able to connect. Is this possible? I thought I read in the specs that it is, but haven't been able to figure it out. Any help would be appreciated.

Thanks.
0 Kudos
Reply
5 REPLIES 5
cenk sasmaztin
cenk sasmaztin
Honored Contributor

‎07-21-2009 09:40 AM

‎07-21-2009 09:40 AM

Solution

Re: ProCurve 2610 MAC Lockdown

yes jeff it is possible

if you want make this operation you can use 3 way

1-classic mac lockdown with static-mac commad

edgeswitch(config)# static-mac
MAC-ADDR Enter MAC address for the 'static-mac'
command/parameter.
edgeswitch(config)# static-mac (mac-address)

you can write each port one by one authorized mac address

very exhaustive

2-learning switch with one commad all mac address on port with port security

edgeswitch(config)# port-security 1-23 address-limit 1 learn-mode static action
send-disable

with this command all port learn dynamically each mac address on port and only one mac address permision and if connect any other mac address on port port turn disable status


3-802.1x mac authentication

very secure and very flexible
802.1x operation running with radius server
any client connect any port with mac authentication
if connect request authorized mac address radius server approve connection on switch port

cenk

Reply
vipes27
vipes27
Occasional Advisor

‎07-21-2009 10:00 AM

‎07-21-2009 10:00 AM

Re: ProCurve 2610 MAC Lockdown

Thanks so much for your reply, that was great. Do you type those commands in the config file for the switch? I was sort of confused on that.

This is a little different question, but are you able to configure a specific port to only allow internet connection and no network access? Would that have to be a seperate VLAN?

Thanks again for your help.
0 Kudos
Reply
cenk sasmaztin
cenk sasmaztin
Honored Contributor

‎07-21-2009 10:38 AM

‎07-21-2009 10:38 AM

Re: ProCurve 2610 MAC Lockdown

hi Jeff

if use only two procurve switch
I recomended you must make option 2

so

2-learning switch with one commad all mac address on port with port security

edgeswitch(config)# port-security 1-23 address-limit 1 learn-mode static action
send-disable

with this command all port learn dynamically each mac address on port and only one mac address permision and if connect any other mac address on port port turn disable status


very easy command
please test your 2610-24 switch

(config)# port-security 1-23 address-limit 1 learn-mode static action send-disable

switch learn dynamically at the moment connection mac address on port and this mac address sensible authorized mac address
if connect any other mac address on this port port is trun disable state

you must be turn port enable state with manuel command
(eth-13)# enable

in this way unauthorized pc unable connect your switch

important note:on uplink port (switch to switch ) don't port security config

your questions

yes it is possible
each port able sperate other port with
source port filter command
no need vlan
config)# filter source-port 1 drop 2-23
with this command port 1 between port 2 to 23 connection drop port 1 permit connection only interface 24 if you connect interface 24 internet router port 1 user only comminication internet router unable connection other pc




cenk

0 Kudos
Reply
vipes27
vipes27
Occasional Advisor

‎07-21-2009 11:28 AM

‎07-21-2009 11:28 AM

Re: ProCurve 2610 MAC Lockdown

Thanks again for your reply. If I understand you right, #2 allows you to have list of approved MAC addresses and if not one listed, the port will be turned off. Is that correct, or do you have to have a certain MAC address in a certain port? Also, where do you add this command at? In the switches config file.

Thanks again.
0 Kudos
Reply
arenaskevin
arenaskevin
Occasional Visitor

‎05-25-2016 08:51 PM

‎05-25-2016 08:51 PM

Re: ProCurve 2610 MAC Lockdown

Sir Cenk can i use both ? Mac Lockdown and DHCP Snooping?  

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.