Switches, Hubs, and Modems

Local MAC based authentication per individual port (HPE FlexNetwork 5130 EI Switch Series)

 
SOLVED
Go to solution
Futurity
Occasional Advisor

Local MAC based authentication per individual port (HPE FlexNetwork 5130 EI Switch Series)

Hi, 

I have a stack of HPE FlexNetwork 5130 EI Series switches. Up until now, I've been configuring individual sets of physical ports to VLANs, but this doesn't stop someone without any IT skills plugging in a laptop to a port and gaining access. I know that MAC addresses can be easily spoofed, but I doubt this is something a sales person would know how to do easily, so I'm looking for a way to tie a MAC address to a particular port.

I'm already familiar with configuring these switches via the CLI, so thats not the problem. My problem is that the manual is so huge that I may have missed a solution while reading through it.

I've read that almost all solutions rely on a radius sever, but unfortunately I don't have the expertise or time to create one. Moving away from my extensive VLAN configuration held within the stacked switched isn't something I'd like to do, so ideally I'd like to add to complement it with some sort of MAC authentication / lockdown.

So far within the manual I've read that a list of MAC addresses can be configued to tie down access to a set of devices, but any port with MAC authentication activated will accept any device within this list. It seems to be a catch all.  It doesn't look like this can be split up into groups either?

I can't remember the name of the security method off of the top of my head, but I think there is a method of locking one MAC address per port, but each port must also have a unique VLAN, assigned to it.  This would work, but it pushes half the configuration onto the firewall (which is a nightmare to configure).

I've also read that domains can be used to lockdown ports, or at least to groups of ports.  Normally these are stored on a Radius server, but I think there is a hint that they could be stored locally on the switch?

Fingers crossed that I've missed a solution.

Many thanks in advance for any help you can provide,

Neil

 

 

2 REPLIES 2
Ivan_B
HPE Pro
Solution

Re: Local MAC based authentication per individual port (HPE FlexNetwork 5130 EI Switch Series)

Hello Neil!

It seems that you don't need MAC authentication, even a local one, but what you are looking for is a way to control MAC address learning on ports and allow traffic only from certain MACs bound to that port. If my assumption is correct then 'port-security port-mode secure' accompanied by static secure MACs on interfaces is the feature you are looking for.

For example, if you have two PCs in vlan 10 - PC1 on port Gig1/0/1 with MAC aaaa-aaaa-aaaa and PC2 on port Gig1/0/2 with MAC bbbb-bbbb-bbbb, then the configuration will be:

system-view
port-security enable
#
interface Gig1/0/1
port link-type access
port access vlan 10
port-security port-mode secure
port-security max-mac-count 1
port-security intrusion-mode blockmac
port-security mac-address security aaaa-aaaa-aaaa vlan 10
#
interface Gig1/0/2
port link-type access
port access vlan 10
port-security port-mode secure
port-security max-mac-count 1
port-security intrusion-mode blockmac
port-security mac-address security bbbb-bbbb-bbbb vlan 10

If you don't want to type each MAC manually and you are pretty sure that during the setup only trusted PCs will be connected to the switch and those PCs will be connected to correct ports, then use 'autolearn' feature (analog to Cisco's sticky MACs):

system-view
port-security enable
#
interface Gig1/0/1
port link-type access
port access vlan 10
port-security port-mode autolearn
port-security max-mac-count 1
port-security intrusion-mode blockmac
#
interface Gig1/0/2
port link-type access
port access vlan 10
port-security port-mode autolearn
port-security max-mac-count 1
port-security intrusion-mode blockmac

After we connect our imaginary PC1 and PC2, their MACs will be automatically learned and saved in the 'current-configuration'. The configuration will look like this:

system-view
port-security enable
#
interface Gig1/0/1
port link-type access
port access vlan 10
port-security port-mode autolearn
port-security max-mac-count 1
port-security intrusion-mode blockmac
port-security mac-address security aaaa-aaaa-aaaa vlan 10
#
interface Gig1/0/2
port link-type access
port access vlan 10
port-security port-mode autolearn
port-security max-mac-count 1
port-security intrusion-mode blockmac
port-security mac-address security bbbb-bbbb-bbbb vlan 10

then all you need to do is to save the configuration in order to make those learned MACs permanent, e.g. to survive a reboot. If you will need to change MAC, just remove 'port-security mac-address security...' line under respective interface and connect new host.

Hope this helps!

 

I am an HPE employee

Accept or Kudo

Futurity
Occasional Advisor

Re: Local MAC based authentication per individual port (HPE FlexNetwork 5130 EI Switch Series)

Hi Ivan_B,

I remember reading about this at the begining of my research, but for some reason I thought this worked at a full switch level across all ports.  Shows that I needed to read this in more details.  I guess as I read more in depth sections of the manual, I would have understood this section with more cliarity should I have gone back to it.

Thanks you so much for your help. You've saved me so much work and man hours.

Neil