AANTS - MAC Address Port Locking/Unlocking Using the EdgeConf Tool

This document outlines the procedure to lock edge ports to, and unlock edge ports from, a specific MAC address using the Authorized Agent Network Tool Suite (AANTS) EdgeConf tool.

What is MAC address locking?

By locking an edge port to a specific MAC address (usually a device's NIC) you are only allowing one specific device to access that port. If someone were to unplug the original device and attempt to access the locked port with a different device, they would be unable to received any traffic from the port.

This can be an important aspect of physical security in certain locations.

How do I use the EdgeConf tool to lock a port to a specific MAC address?

NOTE: You cannot lock more than one port on a device to the same MAC address. If you attempt to do so, the lock will not take and that port will be disabled from taking any MAC lock until someone from DoIT can reset the port. Please be sure the MAC address you are locking is not already locked somewhere else on the device.

To lock a port to a MAC address:

  1. Check the select box on the row of the port you wish to lock to enable editing.
  2. Change the 'MAC Address Locking' column to 'on' to enable the text input field.
  3. Enter one or more MAC addresses separated by whitespace in one of the common formats e.g. '1234.abcd.5678', '12:34:ab:cd:56:78', '12-34-ab-cd-56-78', '1234:abcd:5678' or '1234abcd5678', any non hexadecimal characters will be stripped off.
  4. Submit your change.

How do I use the EdgeConf tool to unlock (free) a previously locked port ?

  1. Check the select box on the row of the port you wish to lock to enable editing.
  2. Change the 'MAC Address Locking' column to 'off'.
  3. Submit your change.

What is going on behind the scenes when I lock a port?

Cisco IOS commands are being issued on the device to do the port locking and unlocking.

Locking:

#===== Unlock from old address, if there is one
shut
no switchport port-security maximum 1
no switchport port-security
no switchport port-security violation restrict
no switchport port-security mac-address
no shut

#===== Now lock to the new address
shut
switchport mode access
switchport port-security maximum 1
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address $new_mac_address
no shut

Unlocking:

shut
no switchport port-security maximum 1
no switchport port-security
no switchport port-security violation restrict
no switchport port-security mac-address
no shut

Can I lock a port to more than one MAC address?

Yes. While it is generally not encouraged as a work-around to poor network design, there are some legitimate reasons for locking one port to multiple MAC addresses. The EdgeConf GUI supports this feature. If you click on the port name from the main EdgeConf GUI page, you will be taken to the "EditPort" dialog, which has a larger text input field to ease entering multiple MAC addresses for locking.


Keywords:
AANTS, MAC Address, Security, MAC Address Locking, MAC Address Unlocking, EdgeConf, tool, tools, unlock, lock 
Doc ID:
4890
Owned by:
Mark T. in Network Services
Created:
2006-08-01
Updated:
2026-04-29
Sites:
DoIT Help Desk, Network Services, Systems & Network Control Center