![](/images/backgrounds/285757/hp-procurve-2600-series-users-manual-550038253x1.png)
Configuring and Monitoring Port Security
MAC Lockdown
The key points for this Model Topology are:
• The Core Network is separated from the edge by the use of switches which have been “locked down” for security.
• All switches connected to the edge (outside users) each have only one port they can use to connect to the Core Network and then to Server A.
• Each switch has been configured with MAC Lockdown so that the MAC Address for Server A has been locked down to one port per switch that can connect to the Core and Server A.
| Using this setup Server A can be moved around within the core network, and |
| yet MAC Lockdown will still prevent a user at the edge from hijacking its |
| address and stealing data. |
| Please note that in this scenario a user with bad intentions at the edge can still |
| “spoof” the address for Server A and send out data packets that look as though |
| they came from Server A. The good news is that because MAC Lockdown has |
| been used on the switches on the edge, any traffic that is sent back to Server |
| A will be sent to the proper MAC Address because MAC Lockdown has been |
| used. The switches at the edge will not send Server A’s data packets anywhere |
| but the port connected to Server A. (Data would not be allowed to go beyond |
| the edge switches.) |
|
|
C a u t i o n | Using MAC Lockdown still does not protect against a hijacker within the core! |
| In order to protect against someone spoofing the MAC Address for Server A |
| inside the Core Network, you would have to lock down each and every switch |
| inside the Core Network as well, not just on the edge. |
| Problems Using MAC Lockdown in Networks With Multiple Paths. Now |
| |
| let’s take a look at a network topology in which the use of MAC Lockdown |
| presents a problem. In the next figure, Switch 1 (on the |
| at the edge of the network where there is a mixed audience that might contain |
| hackers or other malicious users. Switch 1 has two paths it could use to |
| connect to Server A. If you try to use MAC Lockdown here to make sure that |
| all data to Server A is “locked down” to one path, connectivity problems would |
| be the result since both paths need to be usable in case one of them fails. |