03-11-2013 02:53 AM
I've a question regarding the port security function on the HP Procurve 2610 switches. I wish to enable this but I'm not sure if it works in conjunction with IP Phones. They connect to these, which in turn are connected to terminals.
Is it true that when port security is applied, the port on the switch will check the MAC Address of the IP Phone. If it's authorized, a connection will be allowed? Will the terminals also be allowed/blocked depending on if the IP Phones are allowed/blocked by the switch?
If not, and you know of a better solution please advise. I'm looking for a decent way to make the network secure against unwanted devices.
03-11-2013 05:13 PM
Typically port-security is used to tie specific MAC addresses to specific ports. For example you might want the phone with MAC address 000000-000001 to only be allowed on port A1 and only port A1. The phone would be the only device allowed to ingress packets on port A1 and it wouldn't be allowed if it was moved to another port.
It sounds like you are also connecting PCs to the phones. The PCs won't be allowed just because the phone is allowed. The PC's MAC address will also have to be configured in port-security just like the phone.
port-security a1 learn-mode configured
port-security a1 address-limit 2 port-security a1 mac-address 000000-000001 # phone's MAC addr port-security a1 mac-address 000000-000002 # pc's MAC addr
The example above would allow the two devices with the given MAC addresses to connect to port A1.
If you are deploying an environment where you want to authenticate the devices but not necessarily tie them to a specific port you may consider using a RADIUS server and mac-based authentication. Also, 802.1x is another option if your phones and PCs support it. Most recent phones and PCs will have not problem.
Are you familiar with RADIUS?