Switches, Hubs, and Modems
cancel
Showing results for 
Search instead for 
Did you mean: 

Block MAC certain Addresses

SOLVED
Go to solution
Matt Ballou
Occasional Advisor

Block MAC certain Addresses

Is there a way to block MAC Addresses on the Procurve 2650, 5300xl series? There are a few folks who keep bringing in AP's and other devices on our network and I essentially only want to allow certain MAC addresses on each Port and also block unknown AP's. Although we have policies in place to deal, some folks don't always get the message regarding Rogue AP's. We have PCM+2.1/IDM 2.1 but have not started to implement yet. I don't think these people would know how to Spoof the MAC Address and this would at least deter them.
7 REPLIES
Matt Hobbs
Honored Contributor

Re: Block MAC certain Addresses

Yep you certainly can:

ProCurve Switch 2626(config)# lockout-mac
MAC-ADDR Enter MAC address for the 'lockout-mac'
command/parameter.

Don't forget to assign points to posts that have helped you.
Matt Hobbs
Honored Contributor

Re: Block MAC certain Addresses

On second thought, lockout-mac by itself isn't really sufficient. Clients will still be able to associate to the AP and get access to the network. You should actually look at Pott Security instead. I'd strongly recommend you read through this chapter of the security guide:

ftp://ftp.hp.com/pub/networking/software/Security-Oct2005-59906024-Chap09-Port_Security.pdf
Matt Hobbs
Honored Contributor
Solution

Re: Block MAC certain Addresses

And some more... I think this would be a good setting for end-node ports where you only expect 1 mac-address:

ProCurve Switch 2626(config)# port-security 1 learn-mode limited-continuous addr
ess-limit 1 action send-alarm

This will let the port learn 1 mac-address only. If it detects a second mac-address, it will send an alarm to your PCM server and add an entry to the switch event log.

Alternatively, you could use 'send-disable' which would also block the port until you 'clear-intrusion-flag'.
Mohieddin Kharnoub
Honored Contributor

Re: Block MAC certain Addresses

Hi

If you want only to allow certain MAC per port, then i think what do you need is:
MAC Lockdown which is permanent assignment of a given MAC address to a given port.

the command is:
mac-address [mac address] static VLAN [vid] [port number]

example:
mac-address 001500-3C36D4 static VLAN 2 A6

Science for Everyone
Matt Ballou
Occasional Advisor

Re: Block MAC certain Addresses

And some more... I think this would be a good setting for end-node ports where you only expect 1 mac-address:

ProCurve Switch 2626(config)# port-security 1 learn-mode limited-continuous addr
ess-limit 1 action send-alarm

This will let the port learn 1 mac-address only. If it detects a second mac-address, it will send an alarm to your PCM server and add an entry to the switch event log.

> What if we added our own AP on the network, would that mess up this setup as we would then possibly block our legit AP?
Les Ligetfalvy
Esteemed Contributor

Re: Block MAC certain Addresses

I think limit 1, continuous learn would not stop the DSL routers with access points since all the other MACs hide behind NAT.

There is something to be said for the user adjusting tool that we keep behind the door.
Matt Hobbs
Honored Contributor

Re: Block MAC certain Addresses

> What if we added our own AP on the
> network, would that mess up this setup as
> we would then possibly block our legit AP?

On your ports with legitimate AP's, you just don't use that command. It is port specific. Also you would not set it on the the switch uplink ports.

As Les said though, if an end-user brought in an AP that was performing NAT it would be harder to detect with this method - you would really need other AP's which deteced the rogue AP's radios. The 420wl and 530wl can do this.