Deploying Mac Lockdown; Mac Lockout - HP ProCurve 6120G/XG Manual

Configuring and Monitoring Port Security

MAC Lockout

Deploying MAC Lockdown

When you deploy MAC Lockdown you need to consider how you use it within
your network topology to ensure security. In some cases where you are using
techniques such as Spanning Tree Protocol (STP) to speed up network per­
formance by providing multiple paths for devices, using MAC Lockdown
either will not work or else it defeats the purpose of having multiple data paths.
The purpose of using MAC Lockdown is to prevent a malicious user from
"hijacking" an approved MAC address so they can steal data traffic being sent
to that address.
As we have seen, MAC Lockdown can help prevent this type of hijacking by
making sure that all traffic to a specific MAC address goes only to the proper
port on a switch which is supposed to be connected to the real device bearing
that MAC address.
However, you can run into trouble if you incorrectly try to deploy MAC
Lockdown in a network that uses multiple path technology, like Spanning
Tree.
C a u t i o n
Using MAC Lockdown still does not protect against a hijacker within the core!
In order to protect against someone spoofing the MAC Address on a server
inside the Core Network, you would have to lock down each and every switch
inside the Core Network as well, not just on the edge.
MAC Lockout
MAC Lockout involves configuring a MAC address on all ports and VLANs for
a switch so that any traffic to or from the "locked-out" MAC address will be
dropped. This means that all data packets addressed to or from the given
address are stopped by the switch. MAC Lockout is implemented on a per
switch assignment.
You can think of MAC Lockout as a simple blacklist. The MAC address is
locked out on the switch and on all VLANs. No data goes out or in from the
blacklisted MAC address to a switch using MAC Lockout.
To fully lock out a MAC address from the network it would be necessary to
use the MAC Lockout command on all switches.
13-28