7

We seem to have a problem with rogue devices on our network. From DHCP (on Win2003), I can see names of devices that are clearly not ours. From the name, I suspect it's a wireless AP (WGR614 looks like a Netgear to me). I can't ping it now, but I want to A.) be certain it's gone, and B.) stop it from coming back.

My initial theory is to block the MAC address at the switch. I'd also like to find which port the MAC address was connected to so I can find the location it was connected.

We have different flavors of HP ProCurve switches, with our primary switch a 4200. How would I go about doing this as a one-off task? I'm not a network admin really, so please be gentle.

masegaloeh
  • 18,236
  • 10
  • 57
  • 106
CC.
  • 1,196
  • 1
  • 10
  • 22
  • Bad news: blocking the MAC of the AP won't block the MAC of its connected clients. You may want to have a look at procurve's port-security (if compatible with your model) to only allow 1 mac per port. – LatinSuD Dec 05 '13 at 13:43

2 Answers2

5

I can't tell you a thing about "blocking" or access-control-list functionality in HP Procurve switches. In general, "blocking" unwanted devices isn't a good thing. Stopping the wanted devices from getting on your network in the first place is a better idea.

To find the MAC address of an offending device, from a computer on the same subnet as that device, PING the device and then do an "arp -a" from a command prompt. You should get back something like this (on Windows):

Interface: 192.168.28.10 --- 0x6
  Internet Address      Physical Address      Type
  192.168.28.9          00-ff-22-71-a6-a2     dynamic

The MAC address is listed under the "physical address" column.

Hopefully the ProCurve switches have some functionality to allow you search the MAC address database on the switch for a given address. Do that, and the switch will tell you which port it is "seeing" that MAC address attached to.

On a Cisco switch (or a "Cisco-workalike" switch), you'd do:

show mac-address | include xxxx.xxxx.xxxx

Where the x's are the MAC address (removing the "-" between the digits that Windows reports and placing "." between each group of 4 digits).

Track down what's plugged into that port. If it's another switch, repeat the process on the other switch. If you end up with a wireless access point think about using (better) encryption to keep unauthorized parties off your network.

Evan Anderson
  • 141,881
  • 20
  • 196
  • 331
  • +1 I think from a security standpoint it is almost always better to have a 'permit only list' (inclusive) instead of an 'exclude list' (exclusive). – Kyle Brandt Jul 13 '09 at 19:04
  • Thanks! I was able to track it down from show mac-address. I couldn't arp -a since it wasn't on the network anymore, but the switches had what I needed. If switches are like servers, yeah, I'd use a permit list rather than deny, but I'm just trying to stop it quickly. I suspect compiling that MAC list is a bit more involved, but tell me if I'm wrong! – CC. Jul 13 '09 at 21:02
  • 2
    show mac-address is also the command to get a mac address list on the HP ProCurve via telnet to. – EKS Jul 22 '09 at 07:43
4

Do you know how to get to the command line interface? The command

show mac-address

will show you all the MAC addresses the switch has detected.

You can get all the manuals for the 4200 here:

Manuals for Procurve 6400cl/5300xl/4200vl/3400cl switches

Ward - Trying Codidact
  • 12,899
  • 28
  • 46
  • 59