Solved

How to control the port access based on MAC on the HP switch?

Posted on 2014-03-18
13
1,184 Views
Last Modified: 2014-03-31
This is talking about the layer 2 managed switch of HP procurve 1910-24G. From the HP web site, the feature is called Advanced access control lists (ACLs) — enables network traffic filtering and enhances network control using MAC- and IP-based ACLs; time-based ACLs allow for greater flexibility with managing network access.

The control on MAC-based is the one we are looking for. How can we apply the control?

Thanks in advance.
0
Comment
Question by:MichaelBalack
  • 8
  • 5
13 Comments
 
LVL 26

Expert Comment

by:Soulja
ID: 39943361
See the below link starting at page 464 or  477 of 553

http://h20628.www2.hp.com/km-ext/kmcsdirect/emr_na-c03941555-2.pdf
0
 
LVL 1

Author Comment

by:MichaelBalack
ID: 39948781
Dear Soulja,

Please elaborate on step-by-step, thanks.
0
 
LVL 1

Author Comment

by:MichaelBalack
ID: 39948884
Dear Soulja,

After creating an ACL, let's say of 4001. Import all the permitted devices with MAC addresses. After that how can i apply this acl to individual ports?

question 2, the mac-address should key in in the format: xxxx-xxxx-xxxx, how about the subnet mask for these mac? Shall I key in 0000-0000-0000 or ffff-ffff-ffff?
0
 
LVL 26

Expert Comment

by:Soulja
ID: 39950467
Are you just trying to restrict what mac addresses use a specific port? If so, why not just use port security?
0
 
LVL 1

Author Comment

by:MichaelBalack
ID: 39955193
Hi Soulja,

I want to only permit a range of let's say 20 devices with the registered mac address to use a range of ports on that particular hp switch. HP said the acl with frame header checking suits the objective.
0
 
LVL 1

Author Comment

by:MichaelBalack
ID: 39955200
Hi Soulja,

I found the title - ACL and QoS Configuration example at pg 494, till 502 has a good scenario about using the ACL, together with QoS - class, behaviour, policy to achieve the restriction.

If port-security can do the job, please share it.
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 1

Author Comment

by:MichaelBalack
ID: 39956790
Called up HP support, and they told me to use mac-address static method. There are 2 steps to be apply on the selective port(s) as follows:

in CLI, type:

     1. undo mac-address dynamic int gig1/0/1 vlan 1 (to disable the dynamic mac learning)
     2. mac-address static 001b-6639-0010 int gig1/0/1 vlan 1

The tactic is to disable the port's mac-address learning, and then type in those devices with mac-addresses that allow to use on that selective port(s).

Let's see if his method fulfill the objective or not?
0
 
LVL 26

Expert Comment

by:Soulja
ID: 39956803
Yes, that is port security. It resticts what mac addresses can connect to that port, but you state you are trying to restict tcp ports also, which I don't think that will solve. Now if you just want to lock it down to certain mac addresses, then port security (mac-address static) is what you want.
0
 
LVL 1

Author Comment

by:MichaelBalack
ID: 39963934
Hi Soulja,

I didnt mention that i want to restrict tcp port. I only mention that restriction only based on mac address.

As the method stated in my previous article does not work.
0
 
LVL 26

Expert Comment

by:Soulja
ID: 39964033
Ah, okay, anytime I hear ports I usually think of tcp ports and not interfaces. You should be set then.
0
 
LVL 1

Author Comment

by:MichaelBalack
ID: 39965685
Hi Soulja,

Please see the current situation as follows:

Couples of switch ports configured with 2-step as follows:

 - undo mac-address dynamic gig1/0/x ( for example, gig1/0/1, gig1/0/2, etc)
 - mac-address static c8f1-663a-9a9b (or other fixed mac-address)

PC with the matched mac-address can only connect to the particular port. Attempt to connect the above PC to other port failed.

However, PC with mac-address that didn't define to "tied" to any port, would able to use any port without restriction. Is there a way to stop this?

HP technical support told me to use the command - user bind. This is how to apply the command in interface mode:

 [hp-gigabiethernet1/0/1] user-bind mac-address c81f-663a-9a9b

Any idea to achieve the objective using the above method?
0
 
LVL 26

Accepted Solution

by:
Soulja earned 500 total points
ID: 39966551
If a pc is connected to a port where you have a statically configured mac address on it should not be able to connect.

So if the pc's mac address doesn't match the mac assigned to say G1/0/1. It should not be able to connect to it.
0
 
LVL 1

Author Closing Comment

by:MichaelBalack
ID: 39966966
it works
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

I see many questions here on Experts Exchange regarding switch port configurations and trunks. This article is meant for beginners in the subject to help to get basic knowledge about Virtual Local Area Network (VLAN (http://en.wikipedia.org/wiki/Vir…
This tutorial will go through the steps required to write a script that will back up the configuration settings of a HP-ProCurve switch. You will need to get the following things to follow this tutorial: Telnet Scripting Tool e.g. TST10.exe …
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now