Manualshelf

Access Security Guide K/KA/KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch
401402403404405406407408409410
Port security maintains a list of allowed MAC addresses on a per-port basis. An address can exist
on multiple ports of a switch. Port security deals with MAC addresses only while MAC Lockdown
specifies both a MAC address and a VLAN for lockdown.
MAC Lockdown, on the other hand, is not a "list." It is a global parameter on the switch that takes
precedence over any other security mechanism. The MAC Address will only be allowed to
communicate using one specific port on the switch.
MAC Lockdown is a good replacement for port security to create tighter control over MAC addresses
and which ports they are allowed to use (only one port per MAC Address on the same switch in
the case of MAC Lockdown). (You can still use the port for other MAC addresses, but you cannot
use the locked down MAC address on other ports.)
Using only port security the MAC Address could still be used on another port on the same switch.
MAC Lockdown, on the other hand, is a clear one-to-one relationship between the MAC Address
and the port. Once a MAC address has been locked down to a port it cannot be used on another
port on the same switch.
The switch does not allow MAC Lockdown and port security on the same port.
Deploying MAC lockdown
When you deploy MAC Lockdown you need to consider how you use it within your network
topology to ensure security. In some cases where you are using techniques such as "meshing" or
Spanning Tree Protocol (STP) to speed up network performance by providing multiple paths for
devices, using MAC Lockdown either will not work or else it defeats the purpose of having multiple
data paths.
The purpose of using MAC Lockdown is to prevent a malicious user from "hijacking" an approved
MAC address so they can steal data traffic being sent to that address.
As we have seen, MAC Lockdown can help prevent this type of hijacking by making sure that all
traffic to a specific MAC address goes only to the proper port on a switch which is supposed to
be connected to the real device bearing that MAC address.
However, you can run into trouble if you incorrectly try to deploy MAC Lockdown in a network
that uses multiple path technology, like Spanning Tree or "mesh networks."
Let's examine a good use of MAC Lockdown within a network to ensure security first.
Example
Figure 300 MAC lockdown deployed at the network edge provides security
Overview 405