How MAC Lockout works

Let us say a customer knows there are unauthorized wireless clients who must not have access to the network. The network administrator "locks out" the MAC addresses for the wireless clients by using the MAC Lockout command (lockout-mac <mac-address> ). When the wireless clients then attempt to use the network, the switch recognizes the intruding MAC addresses and prevents them from sending or receiving data on that network.

Unwanted MAC Addresses can be disallowed on all switch ports with a single command. You do not have to configure every port—perform the command on the switch and it is effective for all ports.

MAC Lockout overrides MAC Lockdown, port security, and 802.1X authentication.

You cannot use MAC Lockout to lock:
  • Broadcast or Multicast Addresses (Switches do not learn these addresses)

  • Switch Agents (The switch MAC Address)

There are limits for the number of VLANs, Multicast Filters, and Lockout MACs that can be configured concurrently as all use MAC table entries.

Limits on Lockout MACs


# Multicast filters

# Lockout MACs











Multicast filtering is not supported on Hewlett Packard Enterprise switches J9779A, J9780A, J9782A, and J9783A.

If someone using a locked out MAC address tries to send data through the switch, a message is generated in the log file:

Lockout logging format:
W 10/30/03 21:35:15 maclock: 0001e6-1f96c0 detected on port 15
W 10/30/03 21:35:18 maclock: 0001e6-1f96c0 detected on port 15
W 10/30/03 21:35:18 maclock: Ceasing lock-out logs for 5m

As with MAC Lockdown, a rate limiting algorithm is used on the log file so that it does not become clogged with error messages. See Limiting the frequency of log messages.