Comware

 View Only

  • 1.  Block MAC certain Addresses

    Posted May 22, 2006 05:32 AM
    Is there a way to block MAC Addresses on the Procurve 2650, 5300xl series? There are a few folks who keep bringing in AP's and other devices on our network and I essentially only want to allow certain MAC addresses on each Port and also block unknown AP's. Although we have policies in place to deal, some folks don't always get the message regarding Rogue AP's. We have PCM+2.1/IDM 2.1 but have not started to implement yet. I don't think these people would know how to Spoof the MAC Address and this would at least deter them.


  • 2.  RE: Block MAC certain Addresses

    Posted May 22, 2006 03:07 PM
    Yep you certainly can:

    ProCurve Switch 2626(config)# lockout-mac
    MAC-ADDR Enter MAC address for the 'lockout-mac'
    command/parameter.

    Don't forget to assign points to posts that have helped you.


  • 3.  RE: Block MAC certain Addresses

    Posted May 22, 2006 03:43 PM
    On second thought, lockout-mac by itself isn't really sufficient. Clients will still be able to associate to the AP and get access to the network. You should actually look at Pott Security instead. I'd strongly recommend you read through this chapter of the security guide:

    ftp://ftp.hp.com/pub/networking/software/Security-Oct2005-59906024-Chap09-Port_Security.pdf


  • 4.  RE: Block MAC certain Addresses

    Posted May 22, 2006 04:12 PM
    And some more... I think this would be a good setting for end-node ports where you only expect 1 mac-address:

    ProCurve Switch 2626(config)# port-security 1 learn-mode limited-continuous addr
    ess-limit 1 action send-alarm

    This will let the port learn 1 mac-address only. If it detects a second mac-address, it will send an alarm to your PCM server and add an entry to the switch event log.

    Alternatively, you could use 'send-disable' which would also block the port until you 'clear-intrusion-flag'.


  • 5.  RE: Block MAC certain Addresses

    Posted May 22, 2006 06:37 PM
    Hi

    If you want only to allow certain MAC per port, then i think what do you need is:
    MAC Lockdown which is permanent assignment of a given MAC address to a given port.

    the command is:
    mac-address [mac address] static VLAN [vid] [port number]

    example:
    mac-address 001500-3C36D4 static VLAN 2 A6



  • 6.  RE: Block MAC certain Addresses

    Posted May 23, 2006 04:38 AM
    And some more... I think this would be a good setting for end-node ports where you only expect 1 mac-address:

    ProCurve Switch 2626(config)# port-security 1 learn-mode limited-continuous addr
    ess-limit 1 action send-alarm

    This will let the port learn 1 mac-address only. If it detects a second mac-address, it will send an alarm to your PCM server and add an entry to the switch event log.

    > What if we added our own AP on the network, would that mess up this setup as we would then possibly block our legit AP?


  • 7.  RE: Block MAC certain Addresses

    Posted May 23, 2006 07:41 AM
    I think limit 1, continuous learn would not stop the DSL routers with access points since all the other MACs hide behind NAT.

    There is something to be said for the user adjusting tool that we keep behind the door.


  • 8.  RE: Block MAC certain Addresses

    Posted May 23, 2006 02:18 PM
    > What if we added our own AP on the
    > network, would that mess up this setup as
    > we would then possibly block our legit AP?

    On your ports with legitimate AP's, you just don't use that command. It is port specific. Also you would not set it on the the switch uplink ports.

    As Les said though, if an end-user brought in an AP that was performing NAT it would be harder to detect with this method - you would really need other AP's which deteced the rogue AP's radios. The 420wl and 530wl can do this.


Related Content