AANTS - MAC Address Port Locking/Unlocking Using the EdgeConf Tool

This document outlines the procedure to lock edge ports to, and unlock edge ports from, a specific MAC address using the Authorized Agent Network Tool Suite (AANTS) EdgeConf tool.

What is MAC address locking?

By locking an edge port to a specific MAC address (usually a device's NIC) you are only allowing one specific device to access that port. If someone were to unplug the original device and attempt to accesss the locked port with a different device, they would be unable to received any traffic from the port.

This can be an important aspect of physical security in certain locations.

How do I use the EdgeConf tool to lock a port to a specific MAC address?

NOTE: You cannot lock more than one port on a device to the same MAC address. If you attempt to do so, the lock will not take and that port will be disabled from taking any MAC lock until someone from DoIT can reset the port. Please be sure the MAC address you are locking is not already locked somewhere else on the device.

To lock a port to a MAC address:

1) Check the select box next to the port you wish to lock.
2) Change the 'mac locked' select to 'Y'. This will enable the mac address text field.
3) Enter the mac address in one of the common formats
e.g.
'1234.abcd.5678'
'12:34:ab:cd:56:78'
'12-34-ab-cd-56-78'
'1234:abcd:5678'
'1234abcd5678'

The form will warn/help you if you try to submit an address in the wrong format.

4) Submit your change.

How do I use the EdgeConf tool to unlock (free) a previously locked port ?

1) Check the select box next to the port you wish to unlock.
2) Change the 'mac locked' select to 'N'.
3) Submit your change.

What is going on behind the scenes when I lock a port?

Cisco IOS commands are being issued on the device to do the port locking and unlocking.

Locking:

#===== Unlock from old address, if there is one
shut
no switchport port-security maximum 1
no switchport port-security
no switchport port-security violation restrict
no switchport port-security mac-address
no shut

#===== Now lock to the new address
shut
switchport mode access
switchport port-security maximum 1
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address $new_mac_address
no shut

Unlocking:

shut
no switchport port-security maximum 1
no switchport port-security
no switchport port-security violation restrict
no switchport port-security mac-address
no shut

Can I lock a port to more than one MAC address?

Yes. While it is generally not encouraged as a work-around to poor network design, there are some legitimate reasons for locking one port to multiple MAC addresses. The EdgeConf GUI supports this feature. If you click on the port name from the main EdgeConf GUI page, you will be taken to the "EditPort" dialog, which allows you to enter multiple MAC addresses for locking.




Keywords:AANTS, MAC Address, Security, MAC Address Locking, MAC Address Unlocking, EdgeConf, tool, tools   Doc ID:4890
Owner:Charles T.Group:Network Services
Created:2006-08-01 19:00 CDTUpdated:2011-05-18 19:00 CDT
Sites:DoIT Help Desk, Network Services, Systems & Network Control Center
Feedback:  2   2