KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch

111

112

113

114

115

116

117

118

119

120

HP-Switch(config)#aaa port-access local-mac 1 auth-vid 10

• Configure UnauthVid

HP-Switch(config)#aaa port-access local-mac 1 unauth-vid 12

• Configure address limit on a port

HP-Switch(config)#aaa port-access local-mac 1 addr-limit 2

• Re-authenticate clients on a port

HP-Switch(config)#aaa port-access local-mac 1 reauthenticate

• Un-configure LMA on a port

HP-Switch( config )#no aaa port-access local-mac 1

Configuration examples

Configuration example 1

• In this example, a PC is directly connected to a HP 3800 switch series. In addition:

◦ The corporate PC MAC is 002622bba7ac, and it should end up in VLAN 2 (Notebook

of network administrator)

◦ The rest of the corporate PC series MAC is 00:26:22:bb:* and 00:26:22:bc:*, and it

should end up in VLAN 3

◦ Corporate IP Phones example MAC is 00:80:11:*, and it should end up in VLAN 5

tagged

Configuration example 2

• In this example, PCs are connected to a meeting room HP 2615 switch series, which is

connected to a HP 3800 switch series (Local MAC authentication happens here). In addition:

◦ Authentication of the 2615, example MAC is 00:10:80:* and it should end up in VLAN

15 tagged (management traffic)

◦ Corporate PC MAC is: 002622bba7ac, and it should end up in VLAN 2 (Notebook of

network administrator)

◦ Rest of the corporate PC Series MAC is: 002622bb* and 00:26:22:bc:*, and it should

end up in VLAN 3

◦ Guest PCs: unknown MAC, and it should end up in Guest VLAN 99

◦ Corporate IP Phones, example MAC: 00:80:11:*, and it should end up in VLAN 5 tagged

◦ WLAN APs, example MAC: 00:80:12:*, and it should end up in VLAN 10 untagged,

12-14 tagged (10 management, 12-14 SSIDs with local break-out)

For further authentication of any OUIs, predefined in SwitchOS, group default is not allowed.

1. Create 5 LMA profiles

There is no need to create profiles for Guest PCs as you don’t know the MACs. Configure

unauth-vid (explained in step 3 below) so that such a client fails the authentication and is put

into guest VLAN.

aaa port-access local-mac profile “corp-switch-prof” vlan tagged 15

(for 2615 switches)

aaa port-access local-mac profile “corp-pc-prof” vlan untagged 2

(for corporate PCs)

aaa port-access local-mac profile “rest-pc-prof” vlan untagged 3

(for the rest of corporate PCs)

Configuration commands 119