Solved

How to control the port access based on MAC on the HP switch?

Posted on 2014-03-18
13
1,456 Views
Last Modified: 2014-03-31
This is talking about the layer 2 managed switch of HP procurve 1910-24G. From the HP web site, the feature is called Advanced access control lists (ACLs) — enables network traffic filtering and enhances network control using MAC- and IP-based ACLs; time-based ACLs allow for greater flexibility with managing network access.

The control on MAC-based is the one we are looking for. How can we apply the control?

Thanks in advance.
0
Comment
Question by:MichaelBalack
  • 8
  • 5
13 Comments
 
LVL 26

Expert Comment

by:Soulja
ID: 39943361
See the below link starting at page 464 or  477 of 553

http://h20628.www2.hp.com/km-ext/kmcsdirect/emr_na-c03941555-2.pdf
0
 
LVL 1

Author Comment

by:MichaelBalack
ID: 39948781
Dear Soulja,

Please elaborate on step-by-step, thanks.
0
 
LVL 1

Author Comment

by:MichaelBalack
ID: 39948884
Dear Soulja,

After creating an ACL, let's say of 4001. Import all the permitted devices with MAC addresses. After that how can i apply this acl to individual ports?

question 2, the mac-address should key in in the format: xxxx-xxxx-xxxx, how about the subnet mask for these mac? Shall I key in 0000-0000-0000 or ffff-ffff-ffff?
0
Building an interactive eFuture classroom

Watch and learn how ATEN provided a total control system solution including seamless switching matrix switch, HDBaseT extenders, PDU, lighting control to build an interactive eFuture classroom.

 
LVL 26

Expert Comment

by:Soulja
ID: 39950467
Are you just trying to restrict what mac addresses use a specific port? If so, why not just use port security?
0
 
LVL 1

Author Comment

by:MichaelBalack
ID: 39955193
Hi Soulja,

I want to only permit a range of let's say 20 devices with the registered mac address to use a range of ports on that particular hp switch. HP said the acl with frame header checking suits the objective.
0
 
LVL 1

Author Comment

by:MichaelBalack
ID: 39955200
Hi Soulja,

I found the title - ACL and QoS Configuration example at pg 494, till 502 has a good scenario about using the ACL, together with QoS - class, behaviour, policy to achieve the restriction.

If port-security can do the job, please share it.
0
 
LVL 1

Author Comment

by:MichaelBalack
ID: 39956790
Called up HP support, and they told me to use mac-address static method. There are 2 steps to be apply on the selective port(s) as follows:

in CLI, type:

     1. undo mac-address dynamic int gig1/0/1 vlan 1 (to disable the dynamic mac learning)
     2. mac-address static 001b-6639-0010 int gig1/0/1 vlan 1

The tactic is to disable the port's mac-address learning, and then type in those devices with mac-addresses that allow to use on that selective port(s).

Let's see if his method fulfill the objective or not?
0
 
LVL 26

Expert Comment

by:Soulja
ID: 39956803
Yes, that is port security. It resticts what mac addresses can connect to that port, but you state you are trying to restict tcp ports also, which I don't think that will solve. Now if you just want to lock it down to certain mac addresses, then port security (mac-address static) is what you want.
0
 
LVL 1

Author Comment

by:MichaelBalack
ID: 39963934
Hi Soulja,

I didnt mention that i want to restrict tcp port. I only mention that restriction only based on mac address.

As the method stated in my previous article does not work.
0
 
LVL 26

Expert Comment

by:Soulja
ID: 39964033
Ah, okay, anytime I hear ports I usually think of tcp ports and not interfaces. You should be set then.
0
 
LVL 1

Author Comment

by:MichaelBalack
ID: 39965685
Hi Soulja,

Please see the current situation as follows:

Couples of switch ports configured with 2-step as follows:

 - undo mac-address dynamic gig1/0/x ( for example, gig1/0/1, gig1/0/2, etc)
 - mac-address static c8f1-663a-9a9b (or other fixed mac-address)

PC with the matched mac-address can only connect to the particular port. Attempt to connect the above PC to other port failed.

However, PC with mac-address that didn't define to "tied" to any port, would able to use any port without restriction. Is there a way to stop this?

HP technical support told me to use the command - user bind. This is how to apply the command in interface mode:

 [hp-gigabiethernet1/0/1] user-bind mac-address c81f-663a-9a9b

Any idea to achieve the objective using the above method?
0
 
LVL 26

Accepted Solution

by:
Soulja earned 500 total points
ID: 39966551
If a pc is connected to a port where you have a statically configured mac address on it should not be able to connect.

So if the pc's mac address doesn't match the mac assigned to say G1/0/1. It should not be able to connect to it.
0
 
LVL 1

Author Closing Comment

by:MichaelBalack
ID: 39966966
it works
0

Featured Post

Secure Your Active Directory - April 20, 2017

Active Directory plays a critical role in your company’s IT infrastructure and keeping it secure in today’s hacker-infested world is a must.
Microsoft published 300+ pages of guidance, but who has the time, money, and resources to implement? Register now to find an easier way.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
eigrp routing loop 5 77
Cisco switch suggestion 5 88
Windows NLB support on Cisco Nexus 9000 1 102
VLAN Issue 4 74
I eventually solved a perplexing problem setting up telnet for a new switch.  I installed a new Cisco WS-03560X-24P switch connected to an existing Cisco 4506 running a WS-X4013-10GE Sup II-Plus. After configuring vlans and trunking,  I could no…
Arrow Electronics was searching for a KVM  (Keyboard/Video/Mouse) switch that could display on one single monitor the current status of all units being tested on the rack.
I've attached the XLSM Excel spreadsheet I used in the video and also text files containing the macros used below. https://filedb.experts-exchange.com/incoming/2017/03_w12/1151775/Permutations.txt https://filedb.experts-exchange.com/incoming/201…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question