- Community Home
- >
- Networking
- >
- Legacy
- >
- Switches, Hubs, Modems
- >
- Local MAC based authentication per individual port...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-08-2020 11:59 AM
06-08-2020 11:59 AM
Hi,
I have a stack of HPE FlexNetwork 5130 EI Series switches. Up until now, I've been configuring individual sets of physical ports to VLANs, but this doesn't stop someone without any IT skills plugging in a laptop to a port and gaining access. I know that MAC addresses can be easily spoofed, but I doubt this is something a sales person would know how to do easily, so I'm looking for a way to tie a MAC address to a particular port.
I'm already familiar with configuring these switches via the CLI, so thats not the problem. My problem is that the manual is so huge that I may have missed a solution while reading through it.
I've read that almost all solutions rely on a radius sever, but unfortunately I don't have the expertise or time to create one. Moving away from my extensive VLAN configuration held within the stacked switched isn't something I'd like to do, so ideally I'd like to add to complement it with some sort of MAC authentication / lockdown.
So far within the manual I've read that a list of MAC addresses can be configued to tie down access to a set of devices, but any port with MAC authentication activated will accept any device within this list. It seems to be a catch all. It doesn't look like this can be split up into groups either?
I can't remember the name of the security method off of the top of my head, but I think there is a method of locking one MAC address per port, but each port must also have a unique VLAN, assigned to it. This would work, but it pushes half the configuration onto the firewall (which is a nightmare to configure).
I've also read that domains can be used to lockdown ports, or at least to groups of ports. Normally these are stored on a Radius server, but I think there is a hint that they could be stored locally on the switch?
Fingers crossed that I've missed a solution.
Many thanks in advance for any help you can provide,
Neil
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-09-2020 02:38 PM - edited 06-09-2020 02:43 PM
06-09-2020 02:38 PM - edited 06-09-2020 02:43 PM
SolutionHello Neil!
It seems that you don't need MAC authentication, even a local one, but what you are looking for is a way to control MAC address learning on ports and allow traffic only from certain MACs bound to that port. If my assumption is correct then 'port-security port-mode secure' accompanied by static secure MACs on interfaces is the feature you are looking for.
For example, if you have two PCs in vlan 10 - PC1 on port Gig1/0/1 with MAC aaaa-aaaa-aaaa and PC2 on port Gig1/0/2 with MAC bbbb-bbbb-bbbb, then the configuration will be:
system-view
port-security enable
#
interface Gig1/0/1
port link-type access
port access vlan 10
port-security port-mode secure
port-security max-mac-count 1
port-security intrusion-mode blockmac
port-security mac-address security aaaa-aaaa-aaaa vlan 10
#
interface Gig1/0/2
port link-type access
port access vlan 10
port-security port-mode secure
port-security max-mac-count 1
port-security intrusion-mode blockmac
port-security mac-address security bbbb-bbbb-bbbb vlan 10
If you don't want to type each MAC manually and you are pretty sure that during the setup only trusted PCs will be connected to the switch and those PCs will be connected to correct ports, then use 'autolearn' feature (analog to Cisco's sticky MACs):
system-view
port-security enable
#
interface Gig1/0/1
port link-type access
port access vlan 10
port-security port-mode autolearn
port-security max-mac-count 1
port-security intrusion-mode blockmac
#
interface Gig1/0/2
port link-type access
port access vlan 10
port-security port-mode autolearn
port-security max-mac-count 1
port-security intrusion-mode blockmac
After we connect our imaginary PC1 and PC2, their MACs will be automatically learned and saved in the 'current-configuration'. The configuration will look like this:
system-view
port-security enable
#
interface Gig1/0/1
port link-type access
port access vlan 10
port-security port-mode autolearn
port-security max-mac-count 1
port-security intrusion-mode blockmac
port-security mac-address security aaaa-aaaa-aaaa vlan 10
#
interface Gig1/0/2
port link-type access
port access vlan 10
port-security port-mode autolearn
port-security max-mac-count 1
port-security intrusion-mode blockmac
port-security mac-address security bbbb-bbbb-bbbb vlan 10
then all you need to do is to save the configuration in order to make those learned MACs permanent, e.g. to survive a reboot. If you will need to change MAC, just remove 'port-security mac-address security...' line under respective interface and connect new host.
Hope this helps!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-11-2020 02:10 PM
06-11-2020 02:10 PM
Re: Local MAC based authentication per individual port (HPE FlexNetwork 5130 EI Switch Series)
Hi Ivan_B,
I remember reading about this at the begining of my research, but for some reason I thought this worked at a full switch level across all ports. Shows that I needed to read this in more details. I guess as I read more in depth sections of the manual, I would have understood this section with more cliarity should I have gone back to it.
Thanks you so much for your help. You've saved me so much work and man hours.
Neil