2008/09/11

HP 2626 鎖MAC 及 port mirror

http://www.hp.com/rnd/support/faqs/2610.htm

Q: Are ACLs (Access-Control Lists) Supported? Yes, two types of ACLs are supported with a maximum of 127 for each type (total of 254):


* Port Based ACLs
Port Based ACLs can be configured through the CLI (Command Line Interface)
ACLs can be shared across ports
ACLs can filter Layer 3 IP, and Layer 4 source and destination TCP/UDP ports
Logging can be configured for deny, first hit, and summary every 5 minutes
* User Based ACLs
Must be configured through IDM (Identity Driven Manager)
Supports a maximum of two users per port
Processes Layer 2 MAC, Layer 3 IP, and Layer 4 TCP/UDP
Counters are available and can be displayed using the sh

開解鎖如下:
ftp://ftp.hp.com/pub/networking/software/
夾檔如附件
章節再 2600-2800-4100-6108-Security-Oct2005-59906024.pdf
檔案的 section 9 節錄如下!!
MAC Lockdown
MAC Lockdown is available on the Series 2600, 2600-PWR, and 2800
switches only.
MAC Lockdown, also known as !§static addressing,!‥ is the permanent assig
ment of a given MAC address (and VLAN, or Virtual Local Area Network) to
a specific port on the switch. MAC Lockdown is used to prevent station
movement and MAC address hijacking. It also controls address learning on
the switch. When configured, the MAC Address can only be used on the
assigned port and the client device will only be allowed on the assigned VLAN.
Port security and MAC Lockdown are mutually exclusive on a given port. You
can either use port security or MAC Lockdown, but never both at the same
time on the same port.
Syntax: [no] static-mac < mac-addr > vlan < vid > interface < port-number >
You will need to enter a separate command for each MAC/VLAN pair you wish
to lock down. If you do not specify a VLAN ID (VID) the switch inserts a VID
of !§1!‥
How It Works. When a device!|s MAC address is locked down to a port
(typically in a pair with a VLAN) all information sent to that MAC address must
go through the locked-down port. If the device is moved to another port it
cannot receive data. Traffic to the designated MAC address goes only to the
allowed port, whether the device is connected to it or not.
MAC Lockdown is useful for preventing an intruder from !§hijacking!‥ a MA
address from a known user in order to steal data. Without MAC Lockdown,
this will cause the switch to learn the address on the malicious user!|s port,
allowing the intruder to steal the traffic meant for the legitimate user.
MAC Lockdown ensures that traffic intended for a specific MAC address can
only go through the one port which is supposed to be connected to that MAC
address. It does not prevent intruders from transmitting packets with the
locked MAC address, but it does prevent responses to those packets from
going anywhere other than the locked-down port. Thus TCP connections
cannot be established. Traffic sent to the locked address cannot be hijacked
and directed out the port of the intruder.
If the device (computer, PDA, wireless device) is moved to a different port on
the switch (by reconnecting the Ethernet cable or by moving the device to an
area using a wireless access point connected to a different port on that same
switch), the port will detect that the MAC Address is not on the appropriate
port and will continue to send traffic out the port to which the address was
locked.
Once a MAC address is configured for one port, you cannot perform port
security using the same MAC address on any other port on that same switch.
You cannot lock down a single MAC Address/VLAN pair to more than one port;
however you can lock down multiple different MAC Addresses to a single port
on the same switch.
Stations can move from the port to which their MAC address is locked to other
parts of the network. They can send, but will not receive data if that data must
go through the locked down switch. Please note that if the device moves to a
distant part of the network where data sent to its MAC address never goes
through the locked down switch, it may be possible for the device to have full
two-way communication. For full and complete lockdown network-wide all
switches must be configured appropriately.
Other Useful Information. Once you lock down a MAC address/VLAN pair
on one port that pair cannot be locked down on a different port.
You cannot perform MAC Lockdown and 802.1x authentication on the same
port or on the same MAC address. MAC Lockdown and 802.1x authentication
are mutually exclusive.
Lockdown is permitted on static trunks (manually configured link aggrega-
tions).
Differences Between MAC Lockdown and Port Security
Because port-security relies upon MAC addresses, it is often confused with
the MAC Lockdown feature. However, MAC Lockdown is a completely differ-
ent feature and is implemented on a different architecture level.
Port security maintains a list of allowed MAC addresses on a per-port basis.
An address can exist on multiple ports of a switch. Port security deals with
MAC addresses only while MAC Lockdown specifies both a MAC address and
a VLAN for lockdown.
MAC Lockdown, on the other hand, is not a !§list.!‥ It is a global parameter o
the switch that takes precedence over any other security mechanism. The
MAC Address will only be allowed to communicate using one specific port on
the switch.
MAC Lockdown is a good replacement for port security to create tighter
control over MAC addresses and which ports they are allowed to use (only
one port per MAC Address on the same switch in the case of MAC Lockdown).
(You can still use the port for other MAC addresses, but you cannot use the
locked down MAC address on other ports.)
Using only port security the MAC Address could still be used on another port
on the same switch. MAC Lockdown, on the other hand, is a clear one-to-one
relationship between the MAC Address and the port. Once a MAC address has
been locked down to a port it cannot be used on another port on the same
switch.
The switch does not allow MAC Lockdown and port security on the same port.

----
講那麼多,結論是
指令前面加個 no 就可以關了!!!

Mirror port
Mirror port
簡單的說就是把整台switch 的 port 封包,做一份 mirror 到這個 port
我們只要透過封包分析軟體,就可以知道目前的網路使用狀況。
文件節錄如下:第27頁 key word: mirror port
-----
CLI: Configuring Port and Static Trunk Monitoring
Port and Static Trunk Monitoring Commands Used in This Section
show monitor below mirror-port page B-27 monitor page B-28
You must use the following configuration sequence to configure port and static trunk monitoring in the CLI:
1. Assign a monitoring (mirror) port.
2. Designate the port(s) and static trunk(s) to monitor.
Displaying the Monitoring Configuration. This command lists the port assigned to receive monitored traffic and the ports and/or trunks being monitored.
Syntax: show monitor
For example, if you assign port A6 as the monitoring port and configure the switch to monitor ports A1 - A3, show monitor displays the following:
張貼留言

like