Configuring and Monitoring Port Security
MAC Lockdown
You will need to enter a separate command for each MAC/VLAN pair you wish
to lock down. If you do not specify a VLAN ID (VID) the switch inserts a VID
of “1”.
How It Works.
When a device’s MAC address is locked down to a port
(typically in a pair with a VLAN) all information sent to that MAC address must
go through the locked-down port. If the device is moved to another port it
cannot receive data. Traffic to the designated MAC address goes only to the
allowed port, whether the device is connected to it or not.
MAC Lockdown is useful for preventing an intruder from “hijacking” a MAC
address from a known user in order to steal data. Without MAC Lockdown,
this will cause the switch to learn the address on the malicious user’s port,
allowing the intruder to steal the traffic meant for the legitimate user.
MAC Lockdown ensures that traffic intended for a specific MAC address can
only go through the one port which is supposed to be connected to that MAC
address. It does not prevent intruders from transmitting packets with the
locked MAC address, but it does prevent responses to those packets from
going anywhere other than the locked-down port. Thus TCP connections
cannot be established. Traffic sent to the locked address cannot be hijacked
and directed out the port of the intruder.
If the device (computer, PDA, wireless device) is moved to a different port on
the switch (by reconnecting the Ethernet cable or by moving the device to an
area using a wireless access point connected to a different port on that same
switch), the port will detect that the MAC Address is not on the appropriate
port and will continue to send traffic out the port to which the address was
locked.
Once a MAC address is configured for one port, you cannot perform port
security using the same MAC address on any other port on that same switch.
You cannot lock down a single MAC Address/VLAN pair to more than one port;
however you can lock down multiple different MAC Addresses to a single port
on the same switch.
Stations can move from the port to which their MAC address is locked to other
parts of the network. They can send, but will not receive data if that data must
go through the locked down switch. Please note that if the device moves to a
distant part of the network where data sent to its MAC address never goes
through the locked down switch, it may be possible for the device to have full
two-way communication. For full and complete lockdown network-wide all
switches must be configured appropriately.
13-23
Summary of Contents for PROCURVE 2910AL
Page 1: ...Access Security Guide ProCurve Switches W 14 03 2910al www procurve com ...
Page 2: ......
Page 3: ...HP ProCurve 2910al Switch February 2009 W 14 03 Access Security Guide ...
Page 84: ...Configuring Username and Password Security Front Panel Security 2 36 ...
Page 156: ...TACACS Authentication Operating Notes 4 30 ...
Page 288: ...Configuring Secure Socket Layer SSL Common Errors in SSL setup 8 22 ...
Page 416: ...Configuring Advanced Threat Protection Using the Instrumentation Monitor 10 28 ...
Page 572: ...Using Authorized IP Managers Operating Notes 14 14 ...
Page 592: ...12 Index ...
Page 593: ......