Comware

Is it possible to create a policy in PCM+ 3.0 that will automatically Lockout a known mac address on a group of 5400 switches when connected then automatically UnLock the port after a given time period?

This should be possible, but i'm not 100% sure if this roll-back function is part of network Immunity Manager 2.0 or already available in PCM+ 3.0. Check if you can create the Mac lock-out action in the policy manager.

You can test by downloading the 60 day trial from the procurve website.

I already have PCM+ 3.0 and the mac lockout option is available for use in the Policy Manager.

I have looked at the events entry but do not see anything that records the mac address of a device connecting to a switch. Is there a log file that shows more detailed information?

only way i can see at the moment is to trigger a mac lockout by a trap. If the event contains the mac address then you can create a policy which captures this mac address for the mac lock-out action. In that case you can create a time based roll-back in the policy, for example one hour.

So in the case of NIM 2.0, you have several triggers like NBAD (Network Behavior Anomaly Detection), external IPS/IDS, or other applications which can be used to perform actions like Mac-lockout, rate limiting or configuring vlans.

The problem appears to center around getting a mac address to be registered in an event when a device becomes active on a switch. What type of activity would cause an event and record a mac address?

Traps from the switch like portsecurity, dhcp snooping, arp spoofing and NIM events.

Reading: http://h40060.www4.hp.com/procurve/uk/en/pdfs/application-notes/AN-S16_ProCurve-NIM-policy-mgmt-final-093008.pdf

http://www.procurve.com/NR/rdonlyres/4C3E6B65-86EA-4436-AEED-ADCF4AA75EBB/0/NetworkImmunityManagerEventInterpretationTechBrief_Dec_07_WW_Eng_A4.pdf?jumpid=reg_R1002_USEN

If you clarify what your goal is, then we can search for a solution.

thanks for keeping up with this. The goal is to lockout a device with a known mac address when that device is plugged into the network and then unlockout after a specified time period.

or, be able to automatically enable a port in a specified time period after the number of devices that can attach to a port has been exceeded.

Similar to specifying the number of devices that can attach to a switch port before an action is taken. Problem with this approach is I have to manually remove the flag and enable the port.

>thanks for keeping up with this. The goal is to lockout a device with a known mac address when that device is plugged into the network and then unlockout after a specified time period.

answ: at the moment a little complicated to create, but it should be possible in the future with a new enhanced scripting engine in PCM3. For now you can manual enable and disable mac lockout.



or, be able to automatically enable a port in a specified time period after the number of devices that can attach to a port has been exceeded.

answ: maybe port security can help with a continous learnmode of a number of max clients
switch (config)# port-security 1 address-limit 8 learnmode limited continuous

The 9th client will be disabled.


Similar to specifying the number of devices that can attach to a switch port before an action is taken. Problem with this approach is I have to manually remove the flag and enable the port.

answ: see response to your 2nd question

Maybe another idea is to use mac authentication. In this case only registered mac adresses are allowed and unwanted mac adresses can be moved to a policy with less bandwith and/or restricted resource availability. Like internet only. unknown adresses are handled in a separate part of the network or not granted for access.

Sietze

thanks for the discussion. Looks like I will need to continue with manual lockout until I get IDM up and running. I was hoping there would be an easy way to restrict port access to a known mac addresses when the device became active on the network. Port security would have been my first choice but there doesn't appear to be a way to automatically clear the flag and return the port for use when the original device was plugged back in.