HPE Community
Switches, Hubs, and Modems
1821985 Members
3653 Online
109638 Solutions
New Discussion юеВ

Block MAC certain Addresses

 
SOLVED
Go to solution
Matt Ballou
Occasional Advisor

тАО05-22-2006 02:31 AM

тАО05-22-2006 02:31 AM

Block MAC certain Addresses

Is there a way to block MAC Addresses on the Procurve 2650, 5300xl series? There are a few folks who keep bringing in AP's and other devices on our network and I essentially only want to allow certain MAC addresses on each Port and also block unknown AP's. Although we have policies in place to deal, some folks don't always get the message regarding Rogue AP's. We have PCM+2.1/IDM 2.1 but have not started to implement yet. I don't think these people would know how to Spoof the MAC Address and this would at least deter them.
0 Kudos
7 REPLIES 7
Matt Hobbs
Honored Contributor

тАО05-22-2006 12:07 PM

тАО05-22-2006 12:07 PM

Re: Block MAC certain Addresses

Yep you certainly can:

ProCurve Switch 2626(config)# lockout-mac
MAC-ADDR Enter MAC address for the 'lockout-mac'
command/parameter.

Don't forget to assign points to posts that have helped you.
0 Kudos
Matt Hobbs
Honored Contributor

тАО05-22-2006 12:42 PM

тАО05-22-2006 12:42 PM

Re: Block MAC certain Addresses

On second thought, lockout-mac by itself isn't really sufficient. Clients will still be able to associate to the AP and get access to the network. You should actually look at Pott Security instead. I'd strongly recommend you read through this chapter of the security guide:

ftp://ftp.hp.com/pub/networking/software/Security-Oct2005-59906024-Chap09-Port_Security.pdf
0 Kudos
Matt Hobbs
Honored Contributor

тАО05-22-2006 01:11 PM

тАО05-22-2006 01:11 PM

Solution

Re: Block MAC certain Addresses

And some more... I think this would be a good setting for end-node ports where you only expect 1 mac-address:

ProCurve Switch 2626(config)# port-security 1 learn-mode limited-continuous addr
ess-limit 1 action send-alarm

This will let the port learn 1 mac-address only. If it detects a second mac-address, it will send an alarm to your PCM server and add an entry to the switch event log.

Alternatively, you could use 'send-disable' which would also block the port until you 'clear-intrusion-flag'.
Mohieddin Kharnoub
Honored Contributor

тАО05-22-2006 03:36 PM

тАО05-22-2006 03:36 PM

Re: Block MAC certain Addresses

Hi

If you want only to allow certain MAC per port, then i think what do you need is:
MAC Lockdown which is permanent assignment of a given MAC address to a given port.

the command is:
mac-address [mac address] static VLAN [vid] [port number]

example:
mac-address 001500-3C36D4 static VLAN 2 A6

Science for Everyone
Matt Ballou
Occasional Advisor

тАО05-23-2006 01:37 AM

тАО05-23-2006 01:37 AM

Re: Block MAC certain Addresses

And some more... I think this would be a good setting for end-node ports where you only expect 1 mac-address:

ProCurve Switch 2626(config)# port-security 1 learn-mode limited-continuous addr
ess-limit 1 action send-alarm

This will let the port learn 1 mac-address only. If it detects a second mac-address, it will send an alarm to your PCM server and add an entry to the switch event log.

> What if we added our own AP on the network, would that mess up this setup as we would then possibly block our legit AP?
0 Kudos
Les Ligetfalvy
Esteemed Contributor

тАО05-23-2006 04:41 AM

тАО05-23-2006 04:41 AM

Re: Block MAC certain Addresses

I think limit 1, continuous learn would not stop the DSL routers with access points since all the other MACs hide behind NAT.

There is something to be said for the user adjusting tool that we keep behind the door.
0 Kudos
Matt Hobbs
Honored Contributor

тАО05-23-2006 11:17 AM

тАО05-23-2006 11:17 AM

Re: Block MAC certain Addresses

> What if we added our own AP on the
> network, would that mess up this setup as
> we would then possibly block our legit AP?

On your ports with legitimate AP's, you just don't use that command. It is port specific. Also you would not set it on the the switch uplink ports.

As Les said though, if an end-user brought in an AP that was performing NAT it would be harder to detect with this method - you would really need other AP's which deteced the rogue AP's radios. The 420wl and 530wl can do this.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.