Manualshelf

Access Security Guide K/KA/KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch
371372373374375376377378379380
Removes the specified MAC address from the specified VLAN
HP Switch(config)# clear mac-address vlan 2 mac 0001e6-b197a8
To view the results from clearing a MAC address, use the show mac-address command with
the appropriate option.
Figure 277 A MAC Address cleared from the MAC Address Table
Deploying MAC Lockdown
When deploying MAC Lockdown, it is crucial to consider its use in your network topology to ensure
security. If using techniques such as meshing or Spanning Tree Protocol (STP) to speed up network
performance by providing multiple paths for devices, using MAC Lockdown either will not work
or may defeat the purpose of having multiple data paths.
Using MAC Lockdown to prevent a malicious user from hijacking an approved MAC address to
steal data traffic sent to that address. The MAC lockdown feature (staticmac) allows administrators
to configure the authorized set of clients on a given port.
MAC Lockdown helps prevent hijacking by ensuring that all traffic to a specific MAC address goes
only to the correct port on a switch, which must be connected to the real device bearing that MAC
address.
However, incorrectly deploying MAC Lockdown in a network that uses multiple path technology,
Spanning Tree or mesh networks can cause errors.
Let’s examine a good use of MAC Lockdown within a network to ensure security first.
Adding an IP-to-MAC Binding to the DHCP Database
A routing switch maintains a DHCP binding database, which is used for DHCP and ARP packet
validation. Both the DHCP snooping and DHCP Option 82 insertion features maintain the lease
database by learning the IP-to-MAC bindings on untrusted ports. Each binding consists of the client
MAC address, port number, VLAN identifier, leased IP address, and lease time.
If your network does not use DHCP or if some network devices have fixed, user-configured IP
addresses, you can enter static IP-to-MAC address bindings in the DHCP binding database. The
switch uses manually configured static bindings for DHCP snooping and dynamic ARP protection.
Adding a static binding
To add the static configuration of an IP-to-MAC binding for a port to the database, enter the ip
source-binding command at the global configuration level. Use the noform of the command
to remove the IP-to-MAC binding from the database.
Using Port Security 379