?
Solved

How to control the port access based on MAC on the HP switch?

Posted on 2014-03-18
13
Medium Priority
?
1,651 Views
Last Modified: 2014-03-31
This is talking about the layer 2 managed switch of HP procurve 1910-24G. From the HP web site, the feature is called Advanced access control lists (ACLs) — enables network traffic filtering and enhances network control using MAC- and IP-based ACLs; time-based ACLs allow for greater flexibility with managing network access.

The control on MAC-based is the one we are looking for. How can we apply the control?

Thanks in advance.
0
Comment
Question by:MichaelBalack
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 5
13 Comments
 
LVL 26

Expert Comment

by:Soulja
ID: 39943361
See the below link starting at page 464 or  477 of 553

http://h20628.www2.hp.com/km-ext/kmcsdirect/emr_na-c03941555-2.pdf
0
 
LVL 1

Author Comment

by:MichaelBalack
ID: 39948781
Dear Soulja,

Please elaborate on step-by-step, thanks.
0
 
LVL 1

Author Comment

by:MichaelBalack
ID: 39948884
Dear Soulja,

After creating an ACL, let's say of 4001. Import all the permitted devices with MAC addresses. After that how can i apply this acl to individual ports?

question 2, the mac-address should key in in the format: xxxx-xxxx-xxxx, how about the subnet mask for these mac? Shall I key in 0000-0000-0000 or ffff-ffff-ffff?
0
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

 
LVL 26

Expert Comment

by:Soulja
ID: 39950467
Are you just trying to restrict what mac addresses use a specific port? If so, why not just use port security?
0
 
LVL 1

Author Comment

by:MichaelBalack
ID: 39955193
Hi Soulja,

I want to only permit a range of let's say 20 devices with the registered mac address to use a range of ports on that particular hp switch. HP said the acl with frame header checking suits the objective.
0
 
LVL 1

Author Comment

by:MichaelBalack
ID: 39955200
Hi Soulja,

I found the title - ACL and QoS Configuration example at pg 494, till 502 has a good scenario about using the ACL, together with QoS - class, behaviour, policy to achieve the restriction.

If port-security can do the job, please share it.
0
 
LVL 1

Author Comment

by:MichaelBalack
ID: 39956790
Called up HP support, and they told me to use mac-address static method. There are 2 steps to be apply on the selective port(s) as follows:

in CLI, type:

     1. undo mac-address dynamic int gig1/0/1 vlan 1 (to disable the dynamic mac learning)
     2. mac-address static 001b-6639-0010 int gig1/0/1 vlan 1

The tactic is to disable the port's mac-address learning, and then type in those devices with mac-addresses that allow to use on that selective port(s).

Let's see if his method fulfill the objective or not?
0
 
LVL 26

Expert Comment

by:Soulja
ID: 39956803
Yes, that is port security. It resticts what mac addresses can connect to that port, but you state you are trying to restict tcp ports also, which I don't think that will solve. Now if you just want to lock it down to certain mac addresses, then port security (mac-address static) is what you want.
0
 
LVL 1

Author Comment

by:MichaelBalack
ID: 39963934
Hi Soulja,

I didnt mention that i want to restrict tcp port. I only mention that restriction only based on mac address.

As the method stated in my previous article does not work.
0
 
LVL 26

Expert Comment

by:Soulja
ID: 39964033
Ah, okay, anytime I hear ports I usually think of tcp ports and not interfaces. You should be set then.
0
 
LVL 1

Author Comment

by:MichaelBalack
ID: 39965685
Hi Soulja,

Please see the current situation as follows:

Couples of switch ports configured with 2-step as follows:

 - undo mac-address dynamic gig1/0/x ( for example, gig1/0/1, gig1/0/2, etc)
 - mac-address static c8f1-663a-9a9b (or other fixed mac-address)

PC with the matched mac-address can only connect to the particular port. Attempt to connect the above PC to other port failed.

However, PC with mac-address that didn't define to "tied" to any port, would able to use any port without restriction. Is there a way to stop this?

HP technical support told me to use the command - user bind. This is how to apply the command in interface mode:

 [hp-gigabiethernet1/0/1] user-bind mac-address c81f-663a-9a9b

Any idea to achieve the objective using the above method?
0
 
LVL 26

Accepted Solution

by:
Soulja earned 2000 total points
ID: 39966551
If a pc is connected to a port where you have a statically configured mac address on it should not be able to connect.

So if the pc's mac address doesn't match the mac assigned to say G1/0/1. It should not be able to connect to it.
0
 
LVL 1

Author Closing Comment

by:MichaelBalack
ID: 39966966
it works
0

Featured Post

Want to be a Web Developer? Get Certified Today!

Enroll in the Certified Web Development Professional course package to learn HTML, Javascript, and PHP. Build a solid foundation to work toward your dream job!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The worst thing when starting a new job is when the previous Network Administrator left behind no documentation. How do you get into the devices? If you've been in this situation or just accidently mistyped your password, this article will hopefully…
WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …

741 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question