Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2264
  • Last Modified:

How to control the port access based on MAC on the HP switch?

This is talking about the layer 2 managed switch of HP procurve 1910-24G. From the HP web site, the feature is called Advanced access control lists (ACLs) — enables network traffic filtering and enhances network control using MAC- and IP-based ACLs; time-based ACLs allow for greater flexibility with managing network access.

The control on MAC-based is the one we are looking for. How can we apply the control?

Thanks in advance.
0
MichaelBalack
Asked:
MichaelBalack
  • 8
  • 5
1 Solution
 
SouljaCommented:
See the below link starting at page 464 or  477 of 553

http://h20628.www2.hp.com/km-ext/kmcsdirect/emr_na-c03941555-2.pdf
0
 
MichaelBalackAuthor Commented:
Dear Soulja,

Please elaborate on step-by-step, thanks.
0
 
MichaelBalackAuthor Commented:
Dear Soulja,

After creating an ACL, let's say of 4001. Import all the permitted devices with MAC addresses. After that how can i apply this acl to individual ports?

question 2, the mac-address should key in in the format: xxxx-xxxx-xxxx, how about the subnet mask for these mac? Shall I key in 0000-0000-0000 or ffff-ffff-ffff?
0
Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

 
SouljaCommented:
Are you just trying to restrict what mac addresses use a specific port? If so, why not just use port security?
0
 
MichaelBalackAuthor Commented:
Hi Soulja,

I want to only permit a range of let's say 20 devices with the registered mac address to use a range of ports on that particular hp switch. HP said the acl with frame header checking suits the objective.
0
 
MichaelBalackAuthor Commented:
Hi Soulja,

I found the title - ACL and QoS Configuration example at pg 494, till 502 has a good scenario about using the ACL, together with QoS - class, behaviour, policy to achieve the restriction.

If port-security can do the job, please share it.
0
 
MichaelBalackAuthor Commented:
Called up HP support, and they told me to use mac-address static method. There are 2 steps to be apply on the selective port(s) as follows:

in CLI, type:

     1. undo mac-address dynamic int gig1/0/1 vlan 1 (to disable the dynamic mac learning)
     2. mac-address static 001b-6639-0010 int gig1/0/1 vlan 1

The tactic is to disable the port's mac-address learning, and then type in those devices with mac-addresses that allow to use on that selective port(s).

Let's see if his method fulfill the objective or not?
0
 
SouljaCommented:
Yes, that is port security. It resticts what mac addresses can connect to that port, but you state you are trying to restict tcp ports also, which I don't think that will solve. Now if you just want to lock it down to certain mac addresses, then port security (mac-address static) is what you want.
0
 
MichaelBalackAuthor Commented:
Hi Soulja,

I didnt mention that i want to restrict tcp port. I only mention that restriction only based on mac address.

As the method stated in my previous article does not work.
0
 
SouljaCommented:
Ah, okay, anytime I hear ports I usually think of tcp ports and not interfaces. You should be set then.
0
 
MichaelBalackAuthor Commented:
Hi Soulja,

Please see the current situation as follows:

Couples of switch ports configured with 2-step as follows:

 - undo mac-address dynamic gig1/0/x ( for example, gig1/0/1, gig1/0/2, etc)
 - mac-address static c8f1-663a-9a9b (or other fixed mac-address)

PC with the matched mac-address can only connect to the particular port. Attempt to connect the above PC to other port failed.

However, PC with mac-address that didn't define to "tied" to any port, would able to use any port without restriction. Is there a way to stop this?

HP technical support told me to use the command - user bind. This is how to apply the command in interface mode:

 [hp-gigabiethernet1/0/1] user-bind mac-address c81f-663a-9a9b

Any idea to achieve the objective using the above method?
0
 
SouljaCommented:
If a pc is connected to a port where you have a statically configured mac address on it should not be able to connect.

So if the pc's mac address doesn't match the mac assigned to say G1/0/1. It should not be able to connect to it.
0
 
MichaelBalackAuthor Commented:
it works
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

  • 8
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now