Manualshelf

Access Security Guide K/KA/KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch
401402403404405406407408409410
The following command serves this purpose by removing 0c0090-123456 and reducing the
Address Limit to 1:
HP Switch(config)# port-security a1 address-limit 1
HP Switch(config)# no port-security a1 mac-address
0c0090-123456
The above command sequence results in the following configuration for port A1:
Figure 299 Port A1 After Removing One MAC Address
How MAC Lockdown works
When a device's MAC address is locked down to a port (typically in a pair with a VLAN) all
information sent to that MAC address must go through the locked-down port. If the device is moved
to another port it cannot receive data. Traffic to the designated MAC address goes only to the
allowed port, whether the device is connected to it or not.
MAC Lockdown is useful for preventing an intruder from "hijacking" a MAC address from a known
user in order to steal data. Without MAC Lockdown, this will cause the switch to learn the address
on the malicious user's port, allowing the intruder to steal the traffic meant for the legitimate user.
MAC Lockdown ensures that traffic intended for a specific MAC address can only go through the
one port which is supposed to be connected to that MAC address. It does not prevent intruders
from transmitting packets with the locked MAC address, but it does prevent responses to those
packets from going anywhere other than to the locked-down port. Thus TCP connections cannot
be established. Traffic sent to the locked address cannot be hijacked and directed out the port of
the intruder.
If the device (computer, PDA, wireless device) is moved to a different port on the switch (by
reconnecting the Ethernet cable or by moving the device to an area using a wireless access point
connected to a different port on that same switch), the port will detect that the MAC Address is not
on the appropriate port and will continue to send traffic out the port to which the address was
locked.
Once a MAC address is configured for one port, you cannot perform port security using the same
MAC address on any other port on that same switch.
You cannot lock down a single MAC Address/VLAN pair to more than one port; however you
can lock down multiple different MAC Addresses to a single port on the same switch.
Stations can move from the port to which their MAC address is locked to other parts of the network.
They can send but not receive data, if that data must go through the locked-down switch.
Overview 403