HP 2600 Series User Manual

9-26

Configuring and Monitoring Port Security
MAC Lockout

Lockout command (

lockout-mac <mac-address>). When the wireless clients

then attempt to use the network, the switch recognizes the intruding MAC
addresses and prevents them from sending or receiving data on that network.

If a particular MAC address can be identified as unwanted on the switch then
that MAC Address can be disallowed on all ports on that switch with a single
command. You don’t have to configure every single port—just perform the
command on the switch and it is effective for all ports.

MAC Lockout overrides MAC Lockdown, port security, and 802.1x authenti-
cation.

You cannot use MAC Lockout to lock:

•

Broadcast or Multicast Addresses (Switches do not learn these)

•

Switch Agents (The switch’s own MAC Address)

If someone using a locked out MAC address tries to send data through the
switch a message is generated in the log file:

Lockout logging format:

W 10/30/03 21:35:15 maclock: module A: 0001e6-1f96c0

detected on port A15

W 10/30/03 21:35:18 maclock: module A: 0001e6-1f96c0

detected on port A15

W 10/30/03 21:35:18 maclock: module A: Ceasing lock-out

logs for 5m

As with MAC Lockdown a rate limiting algorithm is used on the log file so that
it does not become overclogged with error messages. (Refer to “Limiting the
Frequency of Log Messages” on page 9-20.)

Displaying status.

Locked out ports are listed in the output of the

show

running-config command in the CLI. The show lockout-mac command also lists
the locked out MAC addresses, as shown below.