HPE Community
Switches, Hubs, and Modems
1756305 Members
2857 Online
108844 Solutions
New Discussion юеВ

MAC address lockdown

 
SOLVED
Go to solution
JaWe
Occasional Contributor

тАО02-24-2006 01:46 AM

тАО02-24-2006 01:46 AM

MAC address lockdown

Hello, how do I have to configure MAC lockdown on Procurve 5304xl, 2650, 2824 and 2626 switches? Is there a way to manage this centralized?
0 Kudos
5 REPLIES 5
Manfred Arndt
Valued Contributor

тАО02-24-2006 05:10 PM

тАО02-24-2006 05:10 PM

Solution

Re: MAC address lockdown

Here's links to the online manuals that has lots of good info.

See section 9-25 for the 2600 and 2800 switches:

ftp://ftp.hp.com/pub/networking/software/Security-Oct2005-59906024-Chap09-Port_Security.pdf


See section 11-21 for the 5300:

ftp://ftp.hp.com/pub/networking/software/6400-5300-3400-Security-Oct2005-59906052.pdf

Good luck
Sergej Gurenko
Trusted Contributor

тАО02-24-2006 09:57 PM

тАО02-24-2006 09:57 PM

Re: MAC address lockdown

"port-security XX learn-mode static action send-disable" provides some kind of centralized management.
All MAC addresses are learned dynamically and stored to config. In case of any user insert other device to a switch you will receive Alarm and port will stay blocked. User will need to contact sysadmin to unblock the port.

You can also look for 802.1X. This is 95% more centralized solution.

Both 802.1X and MAC lockdown do not protect from recent attacks (APR poisoning)
Jonathan Axford
Trusted Contributor

тАО02-26-2006 10:24 PM

тАО02-26-2006 10:24 PM

Re: MAC address lockdown

Hi, We use the port-security feature here at the college.

It works fairly well, the only down side is it can be hard to manage if you have a lot of devices.

We use it because students like to plug there own laptops in and try and gain access to the network, If they try this now then the port is disabled until IT re-enables it.

We use :

Switch(Config)#port-security xx-xx learn-mode static action send-disable address-limit 1

xx-xx is the port range that you want to enable it on. Learn-mode static means it does not continuously learn MAC addresses and we have set the address-limit to 1 so it only learns 1 address per port.
The action command sends an alert to our PCM+ software and disbales the port if an alien MAC address is detected.

I would recommend using this if you don't want to go the 802.1x route and if your environment remains fairly static. If you change PC's/Move PC's a lot then it can be a real nightmare staying on top of it!
Where there is a will there is a way...
Aji B. Brillantes
Advisor

тАО07-03-2006 09:18 PM

тАО07-03-2006 09:18 PM

Re: MAC address lockdown

hi may I know how can you enable again the port? because when you enable it the old mac address is still there and the port is block again.
0 Kudos
Jonathan Axford
Trusted Contributor

тАО07-05-2006 07:45 PM

тАО07-05-2006 07:45 PM

Re: MAC address lockdown

Hi, here is how to clear the MAC address :

Delete the address by using 'no port-security macaddress
.

(From Matt's post previoulsy....)

You should then be able to enable the port and it will pick up the new MAC address.
Where there is a will there is a way...
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.