How to control the port access based on MAC on the HP switch?

This is talking about the layer 2 managed switch of HP procurve 1910-24G. From the HP web site, the feature is called Advanced access control lists (ACLs) — enables network traffic filtering and enhances network control using MAC- and IP-based ACLs; time-based ACLs allow for greater flexibility with managing network access.

The control on MAC-based is the one we are looking for. How can we apply the control?

Thanks in advance.
LVL 1
MichaelBalackAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
SouljaConnect With a Mentor Commented:
If a pc is connected to a port where you have a statically configured mac address on it should not be able to connect.

So if the pc's mac address doesn't match the mac assigned to say G1/0/1. It should not be able to connect to it.
0
 
SouljaCommented:
See the below link starting at page 464 or  477 of 553

http://h20628.www2.hp.com/km-ext/kmcsdirect/emr_na-c03941555-2.pdf
0
 
MichaelBalackAuthor Commented:
Dear Soulja,

Please elaborate on step-by-step, thanks.
0
Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

 
MichaelBalackAuthor Commented:
Dear Soulja,

After creating an ACL, let's say of 4001. Import all the permitted devices with MAC addresses. After that how can i apply this acl to individual ports?

question 2, the mac-address should key in in the format: xxxx-xxxx-xxxx, how about the subnet mask for these mac? Shall I key in 0000-0000-0000 or ffff-ffff-ffff?
0
 
SouljaCommented:
Are you just trying to restrict what mac addresses use a specific port? If so, why not just use port security?
0
 
MichaelBalackAuthor Commented:
Hi Soulja,

I want to only permit a range of let's say 20 devices with the registered mac address to use a range of ports on that particular hp switch. HP said the acl with frame header checking suits the objective.
0
 
MichaelBalackAuthor Commented:
Hi Soulja,

I found the title - ACL and QoS Configuration example at pg 494, till 502 has a good scenario about using the ACL, together with QoS - class, behaviour, policy to achieve the restriction.

If port-security can do the job, please share it.
0
 
MichaelBalackAuthor Commented:
Called up HP support, and they told me to use mac-address static method. There are 2 steps to be apply on the selective port(s) as follows:

in CLI, type:

     1. undo mac-address dynamic int gig1/0/1 vlan 1 (to disable the dynamic mac learning)
     2. mac-address static 001b-6639-0010 int gig1/0/1 vlan 1

The tactic is to disable the port's mac-address learning, and then type in those devices with mac-addresses that allow to use on that selective port(s).

Let's see if his method fulfill the objective or not?
0
 
SouljaCommented:
Yes, that is port security. It resticts what mac addresses can connect to that port, but you state you are trying to restict tcp ports also, which I don't think that will solve. Now if you just want to lock it down to certain mac addresses, then port security (mac-address static) is what you want.
0
 
MichaelBalackAuthor Commented:
Hi Soulja,

I didnt mention that i want to restrict tcp port. I only mention that restriction only based on mac address.

As the method stated in my previous article does not work.
0
 
SouljaCommented:
Ah, okay, anytime I hear ports I usually think of tcp ports and not interfaces. You should be set then.
0
 
MichaelBalackAuthor Commented:
Hi Soulja,

Please see the current situation as follows:

Couples of switch ports configured with 2-step as follows:

 - undo mac-address dynamic gig1/0/x ( for example, gig1/0/1, gig1/0/2, etc)
 - mac-address static c8f1-663a-9a9b (or other fixed mac-address)

PC with the matched mac-address can only connect to the particular port. Attempt to connect the above PC to other port failed.

However, PC with mac-address that didn't define to "tied" to any port, would able to use any port without restriction. Is there a way to stop this?

HP technical support told me to use the command - user bind. This is how to apply the command in interface mode:

 [hp-gigabiethernet1/0/1] user-bind mac-address c81f-663a-9a9b

Any idea to achieve the objective using the above method?
0
 
MichaelBalackAuthor Commented:
it works
0
All Courses

From novice to tech pro — start learning today.