HPE Community
Security e-Series
1752777 Members
6031 Online
108789 Solutions
New Discussion

Accept traffic via a specific mac address

 
NetworkSeb
Occasional Contributor

‎05-04-2016 06:51 AM

‎05-04-2016 06:51 AM

Accept traffic via a specific mac address

Hi All,

Just wondering if anyone has come accross this scenario in the past?

We have two switches, switch 1 and switch 2. We would like to allow traffic from all clients connected to switch 2 into switch 1 but only if that traffic has come via switch 2 (i.e. no one has pulled the uplink out of switch 2 and has tried to connect something else to it in which case the traffic should be disguarded).

A couple of further complications, we use 802.1X authenication and we need to be able to apply this form of lockdown to two of the ports on switch 1.

The switch I'm trying to get this working on is a 2620 (J9625A)

Any suggestions?

Thanks,

NS

0 Kudos
1 REPLY 1
Vince-Whirlwind
Honored Contributor

‎05-11-2016 07:02 PM

‎05-11-2016 07:02 PM

Re: Accept traffic via a specific mac address

Can you use Port-Security set it to static then enter the mac address of the switch at the other end of the uplink?

HP literature tells you you can switch off auto-MDIX to protect yourself from this situation - but I don't rate this is a valid approach because it doesn't take a genius to get hold of a cross-over cable to defeat it.

If you have dot1x implemented, I don't see what the problem is? Doesn't that do all the filtering you need?

Could you use track port on Switch1 to monitor a port on Switch2, and if it goes down, disable the uplink port and send an alert so you know what's going on?

Also, your network monitoring should detect if an Access switch goes down anyway, which could make you suspicious.

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.