Manualshelf

Access Security Guide K/KA/KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch
401402403404405406407408409410
Basic MAC Lockdown deployment.
In the Model Network Topology shown above, the switches that are connected to the edge of the
network each have one and only one connection to the core network. This means each switch has
only one path by which data can travel to Server A. You can use MAC Lockdown to specify that
all traffic intended for Server A's MAC Address must go through the one port on the edge switches.
That way, users on the edge can still use other network resources, but they cannot "spoof" Server
A and hijack data traffic which is intended for that server alone.
The key points for this Model Topology are:
The Core Network is separated from the edge by the use of switches which have been "locked
down" for security.
All switches connected to the edge (outside users) each have only one port they can use to
connect to the Core Network and then to Server A.
Each switch has been configured with MAC Lockdown so that the MAC Address for Server
A has been locked down to one port per switch that can connect to the Core and Server A.
Using this setup Server A can be moved around within the core network, and yet MAC Lockdown
will still prevent a user at the edge from hijacking its address and stealing data.
Please note that in this scenario a user with bad intentions at the edge can still "spoof" the address
for Server A and send out data packets that look as though they came from Server A. The good
news is that because MAC Lockdown has been used on the switches on the edge, any traffic that
is sent back to Server A will be sent to the proper MAC Address because MAC Lockdown has
been used. The switches at the edge will not send Server A's data packets anywhere but the port
connected to Server A. (Data would not be allowed to go beyond the edge switches.)
CAUTION: Using MAC Lockdown still does not protect against a hijacker within the core! In
order to protect against someone spoofing the MAC Address for Server A inside the Core Network,
you would have to lock down each and every switch inside the Core Network as well, not just on
the edge.
Problems using MAC Lockdown in networks with multiple paths
Now let's take a look at a network topology in which the use of MAC Lockdown presents a problem.
In the next figure, Switch 1 (on the bottom-left) is located at the edge of the network where there
is a mixed audience that might contain hackers or other malicious users. Switch 1 has two paths
it could use to connect to Server A. If you try to use MAC Lockdown here to make sure that all data
to Server A is "locked down" to one path, connectivity problems would be the result since both
paths need to be usable in case one of them fails.
406 Port Security