Port security

The port security feature allows network managers to specify specific devices (by MAC address) that have access to ports on a switch, or to limit the number of devices that can connect to a port at the same time. Authorized MAC addresses can be specified manually by a switch administrator, learned dynamically as devices are connected, or authorized by a specified RADIUS server.

Port security configuration is broken into three primary components — configuring authorized MAC addresses, intrusion detection actions, and eavesdrop prevention.

There are five distinct MAC address learning modes configurable on ArubaOS-Switch devices:

  • Continuous—port continually learns new MAC addresses as devices are connected (port security is disabled).

  • Static—authorized addresses can be statically assigned, and port will learn additional addresses up to a specified limit (up to 64 addresses).

  • Configured—only statically assigned authorized addresses, up to a specified limit, can be used on assigned ports.

  • Port access—port learns only MAC addresses authorized by 802.1X, Web, or MAC authentication; once a MAC address is authorized on the port, only traffic from the authorized MAC address is forwarded.

  • Limited-continuous—port learns MAC addresses up to a specified limit; once the limit is reached, any new MAC address connected to the port is treated as an intrusion.

Upon detection of an unauthorized device on a configured port, an action may be taken to notify administrators through SNMP trap and, optionally, disable the port on which the intrusion occurred.

Lastly, eavesdrop prevention causes packets with unknown destination addresses not to be forwarded to ports where the feature is enabled.

In this example, port security is configured on port 2 in configured address mode with two statically assigned addresses, an address limit of 2, eavesdrop prevention enabled, and with intrusion detection configured to both send an SNMP trap and disable the port:

switch(config)# port-security 2 learn-mode configured address-limit 2 mac-address 308d99-000000 308d99-000001 eavesdrop-prevention action send-disable

This configuration will allow only the two devices specified by their MAC addresses to connect to port 2 (for example, an IP phone with a passthrough Ethernet port connected to a PC); any other devices that attempt to connect to the port will be flagged as an intrusion, an SNMP trap will be sent to configured SNMP targets, and the port will automatically be disabled.