This document outlines the procedure to lock edge ports to, and unlock edge ports from, a specific MAC address using the Authorized Agent Network Tool Suite (AANTS) EdgeConf tool.
What is MAC address locking?
By locking an edge port to a specific MAC address (usually a device's NIC) you are only allowing one specific device to access that port. If someone were to unplug the original device and attempt to accesss the locked port with a different device, they would be unable to received any traffic from the port.
This can be an important aspect of physical security in certain locations.
How do I use the EdgeConf tool to lock a port to a specific MAC address?
NOTE: You cannot lock more than one port on a device to the same MAC address. If you attempt to do so, the lock will not take and that port will be disabled from taking any MAC lock until someone from DoIT can reset the port. Please be sure the MAC address you are locking is not already locked somewhere else on the device.
To lock a port to a MAC address:
1) Check the select box next to the port you wish to lock.
2) Change the 'mac locked' select to 'Y'. This will enable the mac address text field.
3) Enter the mac address in one of the common formats
The form will warn/help you if you try to submit an address in the wrong format.
4) Submit your change.
How do I use the EdgeConf tool to unlock (free) a previously locked port ?
1) Check the select box next to the port you wish to unlock.
2) Change the 'mac locked' select to 'N'.
3) Submit your change.
What is going on behind the scenes when I lock a port?
Cisco IOS commands are being issued on the device to do the port locking and unlocking.
#===== Unlock from old address, if there is one shut no switchport port-security maximum 1 no switchport port-security no switchport port-security violation restrict no switchport port-security mac-address no shut #===== Now lock to the new address shut switchport mode access switchport port-security maximum 1 switchport port-security switchport port-security violation restrict switchport port-security mac-address $new_mac_address no shut
shut no switchport port-security maximum 1 no switchport port-security no switchport port-security violation restrict no switchport port-security mac-address no shut
Can I lock a port to more than one MAC address?
Yes. While it is generally not encouraged as a work-around to poor network design, there are some legitimate reasons for locking one port to multiple MAC addresses. The EdgeConf GUI supports this feature. If you click on the port name from the main EdgeConf GUI page, you will be taken to the "EditPort" dialog, which allows you to enter multiple MAC addresses for locking.