Manualshelf

Access Security Guide K/KA/KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch
401402403404405406407408409410
Figure 301 Connectivity problems using MAC lockdown with multiple paths
The resultant connectivity issues would prevent you from locking down Server A to Switch 1. And
when you remove the MAC Lockdown from Switch 1 (to prevent broadcast storms or other
connectivity issues), you then open the network to security problems. The use of MAC Lockdown
as shown in the above figure would defeat the purpose of using MSTP or having an alternate path.
Technologies such as MSTP or "meshing" are primarily intended for an internal campus network
environment in which all users are trusted. MSTP and "meshing" do not work well with MAC
Lockdown.
If you deploy MAC Lockdown as shown in the Model Topology in Figure 300 (page 405), you
should have no problems with either security or connectivity.
How MAC Lockout works
Let's say a customer knows there are unauthorized wireless clients who should not have access to
the network. The network administrator "locks out" the MAC addresses for the wireless clients by
using the MAC Lockout command (lockout-mac mac-address ). When the wireless clients
then attempt to use the network, the switch recognizes the intruding MAC addresses and prevents
them from sending or receiving data on that network.
If a particular MAC address can be identified as unwanted on the switch then that MAC Address
can be disallowed on all ports on that switch with a single command. You don't have to configure
every single port—just perform the command on the switch and it is effective for all ports.
MAC Lockout overrides MAC Lockdown, port security, and 802.1X authentication.
You cannot use MAC Lockout to lock:
Broadcast or Multicast Addresses (Switches do not learn these)
Switch Agents (The switch own MAC Address)
A MAC address can exist on many different VLANs, so a lockout MAC address must be added to
the MAC table as a drop. As this can quickly fill the MAC table, restrictions are placed on the
number of lockout MAC addresses based on the number of VLANs configured.
Total number of MAC addressesNumber of MAC lockout addressesVLANs configured
1,6002001-8
1,6001009-16
16,3846417-256
Overview 407