Filter
Top Products
18
Enforcing Switch Security
Network Access Security
Refer to the chapter titled “Configuring Port-Based and Client-Based Access Control” in the Access
Security Guide for your switch model.
Port Security, MAC Lockdown, MAC Lockout, and IP Lockdown
These features provide device-based access security in the following ways:
■ port security: Enables configuration of each switch port with a unique list of the MAC
addresses of devices that are authorized to access the network through that port. This
enables individual ports to detect, prevent, and log attempts by unauthorized devices to
communicate through the switch. Some switch models also include eavesdrop prevention
in the port security feature.
■ MAC lockdown: This “static addressing” feature is used as an alternative to port security
for to prevent station movement and MAC address “hijacking” by allowing a given MAC
address to use only one assigned port on the switch. MAC lockdown also restricts the client
device to a specific VLAN.
■ MAC lockout: This feature enables blocking of a specific MAC address so that the switch
drops all traffic to or from the specified address.
■ IP lockdown: Available on Series 2600 and 2800 switches only, this feature enables restric-
tion of incoming traffic on a port to a specific IP address/subnet, and denies all other traffic
on that port.
Refer to the chapter titled “Configuring and Monitoring Port Security” in the Access Security Guide
for your switch model.
Key Management System (KMS)
KMS is available in several ProCurve switch models and is designed to configure and maintain key
chains for use with KMS-capable routing protocols that use time-dependent or time-independent
keys. (A key chain is a set of keys with a timing mechanism for activating and deactivating individual
Access Control Types 6200yl 5400zl 3500yl 5300xl
4200vl
3400cl
6400cl
2800
2600
2600-pwr
4100gl
client-based access control
(up to 32 authenticated clients per port)
XX*------
port-based access control
(one authenticated client opens the port)
X XXX X
switch operation as a supplicant X X X X X
* On the 5300xl switches, this feature is available with software release E.09.02 and greater.