HPE Community
Switches, Hubs, and Modems
1752661 Members
5662 Online
108788 Solutions
New Discussion юеВ

automating mac lockout

 
SOLVED
Go to solution
Dave Henley
Advisor

тАО11-07-2009 09:52 AM

тАО11-07-2009 09:52 AM

automating mac lockout

Is it possible to create a policy in PCM+ 3.0 that will automatically Lockout a known mac address on a group of 5400 switches when connected then automatically UnLock the port after a given time period?
0 Kudos
8 REPLIES 8
Sietze Reitsma
Respected Contributor

тАО11-09-2009 12:30 AM

тАО11-09-2009 12:30 AM

Re: automating mac lockout

This should be possible, but i'm not 100% sure if this roll-back function is part of network Immunity Manager 2.0 or already available in PCM+ 3.0. Check if you can create the Mac lock-out action in the policy manager.

You can test by downloading the 60 day trial from the procurve website.

0 Kudos
Dave Henley
Advisor

тАО11-09-2009 06:27 AM

тАО11-09-2009 06:27 AM

Re: automating mac lockout

I already have PCM+ 3.0 and the mac lockout option is available for use in the Policy Manager.

I have looked at the events entry but do not see anything that records the mac address of a device connecting to a switch. Is there a log file that shows more detailed information?
0 Kudos
Sietze Reitsma
Respected Contributor

тАО11-09-2009 04:49 PM

тАО11-09-2009 04:49 PM

Re: automating mac lockout

only way i can see at the moment is to trigger a mac lockout by a trap. If the event contains the mac address then you can create a policy which captures this mac address for the mac lock-out action. In that case you can create a time based roll-back in the policy, for example one hour.

So in the case of NIM 2.0, you have several triggers like NBAD (Network Behavior Anomaly Detection), external IPS/IDS, or other applications which can be used to perform actions like Mac-lockout, rate limiting or configuring vlans.

0 Kudos
Dave Henley
Advisor

тАО11-09-2009 08:26 PM

тАО11-09-2009 08:26 PM

Re: automating mac lockout

The problem appears to center around getting a mac address to be registered in an event when a device becomes active on a switch. What type of activity would cause an event and record a mac address?
0 Kudos
Sietze Reitsma
Respected Contributor

тАО11-10-2009 04:28 PM

тАО11-10-2009 04:28 PM

Re: automating mac lockout

Traps from the switch like portsecurity, dhcp snooping, arp spoofing and NIM events.

Reading: http://h40060.www4.hp.com/procurve/uk/en/pdfs/application-notes/AN-S16_ProCurve-NIM-policy-mgmt-final-093008.pdf

http://www.procurve.com/NR/rdonlyres/4C3E6B65-86EA-4436-AEED-ADCF4AA75EBB/0/NetworkImmunityManagerEventInterpretationTechBrief_Dec_07_WW_Eng_A4.pdf?jumpid=reg_R1002_USEN

If you clarify what your goal is, then we can search for a solution.

0 Kudos
Dave Henley
Advisor

тАО11-11-2009 06:28 AM

тАО11-11-2009 06:28 AM

Re: automating mac lockout

thanks for keeping up with this. The goal is to lockout a device with a known mac address when that device is plugged into the network and then unlockout after a specified time period.

or, be able to automatically enable a port in a specified time period after the number of devices that can attach to a port has been exceeded.

Similar to specifying the number of devices that can attach to a switch port before an action is taken. Problem with this approach is I have to manually remove the flag and enable the port.

0 Kudos
Sietze Reitsma
Respected Contributor

тАО11-11-2009 12:05 PM

тАО11-11-2009 12:05 PM

Solution

Re: automating mac lockout

>thanks for keeping up with this. The goal is to lockout a device with a known mac address when that device is plugged into the network and then unlockout after a specified time period.

answ: at the moment a little complicated to create, but it should be possible in the future with a new enhanced scripting engine in PCM3. For now you can manual enable and disable mac lockout.



or, be able to automatically enable a port in a specified time period after the number of devices that can attach to a port has been exceeded.

answ: maybe port security can help with a continous learnmode of a number of max clients
switch (config)# port-security 1 address-limit 8 learnmode limited continuous

The 9th client will be disabled.


Similar to specifying the number of devices that can attach to a switch port before an action is taken. Problem with this approach is I have to manually remove the flag and enable the port.

answ: see response to your 2nd question

Maybe another idea is to use mac authentication. In this case only registered mac adresses are allowed and unwanted mac adresses can be moved to a policy with less bandwith and/or restricted resource availability. Like internet only. unknown adresses are handled in a separate part of the network or not granted for access.

Sietze

Dave Henley
Advisor

тАО11-11-2009 12:38 PM

тАО11-11-2009 12:38 PM

Re: automating mac lockout

thanks for the discussion. Looks like I will need to continue with manual lockout until I get IDM up and running. I was hoping there would be an easy way to restrict port access to a known mac addresses when the device became active on the network. Port security would have been my first choice but there doesn't appear to be a way to automatically clear the flag and return the port for use when the original device was plugged back in.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.