HPE Community
Switches, Hubs, and Modems
1751722 Members
5631 Online
108781 Solutions
New Discussion юеВ

Port Lockdown to 1 MAC

 
SOLVED
Go to solution
Tony Barrett_2
Frequent Advisor

тАО10-20-2006 01:14 AM

тАО10-20-2006 01:14 AM

Port Lockdown to 1 MAC

I want to enforce our 2600 series switch's to only allow 1 MAC address per port. I don't mind what this MAC address is, but I don't want it to allow a second MAC to be learnt.

I've looked at the manuals, and I can nominate a single MAC to a port, or restrict an IP subnet to a switch port, but I can't obviously see a way to say 'only allow one MAC address on this port'. I don't mind if this is a global switch setting.

The idea behind this being to stop users plugging in hubs and sharing ports!

Thanks.
0 Kudos
3 REPLIES 3
Matt Hobbs
Honored Contributor

тАО10-20-2006 01:36 AM

тАО10-20-2006 01:36 AM

Solution

Re: Port Lockdown to 1 MAC

Hi Tony,

I believe this should do what you're after:

2600(config)#port-security learn-mode limited-continuous address-limit 1

The only problem is when you get someone who plugs in a router that does NAT, as it will still appear as only the one mac-address...

Matt
Les Ligetfalvy
Esteemed Contributor

тАО10-20-2006 08:25 AM

тАО10-20-2006 08:25 AM

Re: Port Lockdown to 1 MAC

Those nasty consumer DSL routers... they make it so easy to clone MAC too. I am always vigilant of MAC OUI but when they clone the MAC of their accepted PC, it gets harder to catch them.
0 Kudos
Tony Barrett_2
Frequent Advisor

тАО10-22-2006 09:13 PM

тАО10-22-2006 09:13 PM

Re: Port Lockdown to 1 MAC

Thanks for the prompt reply Matt, and sorry for not getting back to you sooner. Guess I was looking in the wrong place in the manual.

Your suggestion I think will enforce what I need, but I forgot to mention I want to use this 'single MAC per port' option with 802.1x authentication, which seems to cause a problem.

If I enter the suggested command with 802.1x auth enabled on the same port (e.g. 1), then I get the following error;

2600(config)# address-limit: Not allowed in current learn mode

I've tried using the following which works;

2600(config)# port-security 1 learn-mode port-access action send-alarm

2600(config)# sh port-security

Port Learn-Mode Action
1 Port-Access (802.1x) Send Alarm

But I'm pretty sure this config will only notify with SNMP trap if there is a detected security breach. It won't restrict learning to a single MAC.



0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.