Default port security operation: The default port security setting for each port is off, or “continuous”. That is, any device can access a port without causing a security reaction.
Intruder protection: A port that detects an "intruder" blocks the intruding device from transmitting to the network through that port.
Eavesdrop protection: Using either the port-security command or the switch WebAgent to enable port security on a given port automatically enables eavesdrop prevention on that port.
General operation for port security: On a per-port basis, you can configure security measures to block unauthorized devices, and to send notice of security violations. Once port security is configured, you can then monitor the network for security violations through one or more of the following:
For any port, you can configure the following:
-
Action: Used when a port detects an intruder. Specifies whether to send an SNMP trap to a network management station and whether to disable the port.
-
Address Limit: Sets the number of authorized MAC addresses allowed on the port.
-
Learn-Mode: Specify how the port acquires authorized addresses.
-
Limited-Continuous: Sets a finite limit (1-32) to the number of learned addresses allowed per port.
-
Continuous: Allows the port to learn addresses from inbound traffic from any connected device. This is the default setting.
-
Static: Enables you to set a fixed limit on the number of MAC addresses authorized for the port and to specify some or all of the authorized addresses. (If you specify only some of the authorized addresses, the port learns the remaining authorized addresses from the traffic it receives from connected devices.)
-
Configured: Requires that you specify all MAC addresses authorized for the port. The port is not allowed to learn addresses from inbound traffic.
-
-
Authorized (MAC) Addresses: Specify up to eight devices (MAC addresses) that are allowed to send inbound traffic through the port. This feature:
-
Closes the port to inbound traffic from any unauthorized devices that are connected to the port.
-
Provides the option for sending an SNMP trap notifying of an attempted security violation to a network management station and, optionally, disables the port. (For more on configuring the switch for SNMP management, see "Trap receivers and authentication traps" in the Management and Configuration Guide for your switch.)
-
-
Port Access: Allows only the MAC address of a device authenticated through the switch 802.1X Port-Based access control.
Configuring port security on a given switch port automatically enables Eavesdrop Prevention for that port. This prevents use of the port to flood unicast packets addressed to MAC addresses unknown to the switch and blocks unauthorized users from eavesdropping on traffic intended for addresses that have aged-out of the switch address table. (Eavesdrop Prevention does not affect multicast and broadcast traffic; the switch floods these two traffic types out a given port regardless of whether port security is enabled on that port.)
Traffic with an unknown destination address is blocked when port security is configured and Eavesdrop Prevention is enabled. You can disable Eavesdrop Prevention on ports where it may cause problems, such as on ports that are configured to use limited-continuous learning mode. See Configuring port security for more information on learning modes.
The following table explains the various interactions between learning modes and Eavesdrop Prevention when Eavesdrop Prevention is disabled.
|
|
NOTE: When the learning mode is "port-access", Eavesdrop Prevention will not be applied to the port. However, it can still be configured or disabled for the port. |
|
|
Learn – Effect
Syntax:
When this option is enabled, the port is prevented from transmitting packets that have unknown destination addresses. Only devices attached to the port receive packets intended for them. This option does not apply to a learning mode of
port-access
orcontinuous
. Default: EnabledThe show port-security command displaying Eavesdrop Prevention
HP Switch(config)# show port-security Port Security Port Learn Mode | Action Eavesdrop Prevention ------ ------------- + ---------------- -------------------- 1 Continuous | None Enabled 2 Continuous | None Enabled 3 Continuous | None Enabled 4 Continuous | None Enabled 5 Continuous | None Enabled
The following MIB support is provided for Eavesdrop Prevention.
hpSecPtPreventEavesdrop OBJECT-TYPE SYNTAX INTEGER { enable (1), disable (2) } MAX-ACCESS read-write STATUS current DESCRIPTION “If enabled on a switch, outbound unknown unicast packets will not be forwarded out this port. If enabled on a repeater, outbound unknown unicast packets for this port will be scrambled.::= { hpSecurePortEntry 5 }
Unless you configure the switch to disable a port on which a security violation is detected, the switch security measures block unauthorized traffic without disabling the port. This implementation enables you to apply the security configuration to ports on which hubs, switches, or other devices are connected, and to maintain security while also maintaining network access to authorized users. For example:
|
|
NOTE: Broadcast and Multicast traffic is always allowed, and can be read by intruders connected to a port on which you have configured port security. |
|
|
Port security does not operate on either a static or dynamic trunk group. If you configure port security on one or more ports that are later added to a trunk group, the switch will reset the port security parameters for those ports to the factory-default configuration. (Ports configured for either Active or Passive LACP, and which are not members of a trunk, can be configured for port security.)
-
Plan your port security configuration and monitoring according to the following:
-
For each port, what security actions do you want? (The switch automatically blocks intruders detected on that port from transmitting to the network.) You can configure the switch to (1) send intrusion alarms to an SNMP management station and to (2) optionally disable the port on which the intrusion was detected.
-
How do you want to learn of the security violation attempts the switch detects? You can use one or more of these methods:
-
Through network management (That is, do you want an SNMP trap sent to a net management station when a port detects a security violation attempt?)
-
Through the switch Intrusion Log, available through the CLI, menu, and WebAgent
-
Through the Event Log (in the menu interface or through the CLI
show log
command)
-
-
Use the CLI or WebAgent to configure port security operating and address controls.
This section describes the CLI port security command and how the switch acquires and maintains authorized addresses.
|
|
NOTE: Use the global configuration level to execute port-security configuration commands. |
|
|
Syntax:
The CLI uses the same command to provide two types of port security listings:
Without port parameters,
show port-security
displays Operating Control settings for all ports on a switch.
Port security listing (ports 7 and 8 show the default setting)
HP Switch(config)# show port-security Port Security Port Learn Mode | Action Eavesdrop Prevention ---- ----------- + ------------------------ -------------------- 1 Continuous | Send Alarm, Disable Port Enabled 2 Continuous | Send Alarm, Disable Port Enabled 3 Static | Send Alarm Enabled 4 Continuous | Send Alarm, Disable Port Enabled 5 Continuous | Send Alarm, Disable Port Enabled 6 Continuous | Send Alarm, Disable Port Enabled 7 Continuous | None Enabled 8 Continuous | None Enabled
With port numbers included in the command, show port-security
displays Learn Mode, Address Limit, (alarm) Action, and Authorized Addresses for the specified ports on a switch. The following example lists the full port security configuration for a single port:
The port security configuration display for a single port
HP Switch(config)# show port-security 3 Port Security Port : 3 Learn Mode [Continuous] : Static Address Limit [1] : 1 Action [None] : None Eavesdrop Prevention [Enabled] : Enabled Authorized Addresses -------------------- 00906d-fdcc00
The next example shows the option for entering a range of ports, including a series of non-contiguous ports. Note that no spaces are allowed in the port number portion of the command string:
Syntax:
Without an optional parameter,
show mac-address
lists the authorized MAC addresses that the switch detects on all ports.
mac-address
: Lists the specified MAC address with the port on which it is detected as an authorized address.
port list
: Lists the authorized MAC addresses detected on the specified port(s).
vlan <
: Lists the authorized MAC addresses detected on ports belonging to the specified VLAN.vid
>
Show mac-address outputs
HP Switch(config)# show mac-address Status and Counters - Port Address Table MAC Address Port VLAN ------------- ----- ---- 00000c-07ac00 7 1 0000aa-9c09cb 7 1 000102-f215c7 5 100 . 0018fe-a5e504 1 222 HP Switch(config)# show mac-address 7 Status and Counters - Port Address Table - 7 MAC Address VLANs ------------- ------------ 00000c-07ac00 1 0000aa-9c09cb 1 HP Switch(config)# show mac-address 00000c-07ac00 Status and Counters - Address Table - 00000c-07ac00 Port VLAN ----- ---- 5 100 HP Switch(config)# show mac-address vlan 1 Status and Counters - Address Table - VLAN 1 MAC Address Port ------------- ----- 00000c-07ac00 1 000050-53c774 1 . 0000aa-9c09cb 1
-
Configure port security and edit security settings.
-
Add or delete devices from the list of authorized addresses for one or more ports.
-
Clear the Intrusion flag on specific ports.
Syntax:
Identifies the method for acquiring authorized addresses.
On switches covered in this guide, automatically invokes eavesdrop protection, see Eavesdrop Prevention.
continuous
: (Default): Appears in the factory-default setting or when you executeno port-security
. Allows the port to learn addresses from the device(s) to which it is connected. In this state, the port accepts traffic from any device(s) to which it is connected. Addresses learned in the learn continuous mode will "age out" and be automatically deleted if they are not used regularly. The default age time is five minutes.Addresses learned this way appear in the switch and port address tables and age out according to the
MAC Age Interval
in the System Information configuration screen of the Menu interface or theshow system information
listing. You can set the MAC age out time using the CLI, SNMP, Web, or menu interfaces. For more information on themac-age-time
command see "Interface Access and System Information" in the Management and Configuration Guide for your switch.
static
: Enables you to use themac-address
parameter to specify the MAC addresses of the devices authorized for a port, and theaddress-limit
parameter (explained below) to specify the number of MAC addresses authorized for the port. You can authorize specific devices for the port, while still allowing the port to accept other, non-specified devices until the device limit has been reached. That is, if you enter fewer MAC addresses than you authorized, the port authorizes the remaining addresses in the order in which it automatically learns them.
For example, if you use address-limit to specify three authorized devices, but use mac-address
to specify only one authorized MAC address, the port adds the one specifically authorized MAC address to its authorized-devices list and the first two additional MAC addresses it detects.
You use mac-address
to authorize MAC address 0060b0-880a80 for port A4.
You use address-limit
to allow three devices on port A4 and the port detects these MAC addresses:
In this example port A4 would assume the following list of authorized addresses:
00f031-423fc1 (the second address the port detected)
0060b0-880a80 (the address you authorized with the
mac-address
parameter)
The remaining MAC address detected by the port, 080071-0c45a1, is not allowed and is handled as an intruder. Learned addresses that become authorized do not age-out. See also Retention of static addresses.
|
|
CAUTION: Using the |
|
|
|
|
NOTE: If 802.1X port-access is configured on a given port, then port-security learn-mode must be set to either |
|
|
port-access
: Enables you to use Port Security with (802.1X) Port-Based Access Control.
configured
: Must specify which MAC addresses are allowed for this port. Range is 1 (default) to 64 and addresses are not ageable. Addresses are saved across reboots.
limited-continuous
: Also known as MAC Secure, or "limited" mode. The limited parameter sets a finite limit to the number of learned addresses allowed per port. (You can set the range from 1, the default, to a maximum of 32 MAC addresses which may be learned by each port.)All addresses are ageable, meaning they are automatically removed from the authorized address list for that port after a certain amount of time. Limited mode and the address limit are saved across reboots, but addresses which had been learned are lost during the reboot process.
Addresses learned in the limited mode are normal addresses learned from the network until the limit is reached, but they are not configurable. (You cannot enter or remove these addresses manually if you are using learn-mode with the limited-continuous option.)
Addresses learned this way appear in the switch and port address tables and age out according to the MAC Age Interval in the System Information configuration screen of the Menu interface or the show system information listing. You can set the MAC age out time using the CLI, SNMP, Web, or menu interfaces. For more on the mac-age-time command, see "Interface Access and System Information" in the Management and Configuration Guide for your switch. To set the learn-mode to limited use this Command syntax:
The default address-limit is
1
but may be set for each port to learn up to 64 addresses.To see the list of learned addresses for a port use the command:
When
learn-mode
is set tostatic
,configured
, orlimited-continuous
, theaddress-limit
parameter specifies how many authorized devices (MAC addresses) to allow. Range: 1 (the default) to 8 for static and configured modes. Forlearn-mode
with thelimited-continuous
option, the range is 1-64 addresses.Available for
learn-mode
with the,static
,configured
, orlimited-continuous
option. Allows up to eight authorized devices (MAC addresses) per port, depending on the value specified in theaddress-limit
parameter. Themac-address limited-continuous
mode allows up to 64 authorized MAC addresses per port.If you use
mac-address
withstatic
, but enter fewer devices than you specified in theaddress-limit
field, the port accepts not only your specified devices, but also as many other devices as it takes to reach the device limit. For example, if you specify four devices, but enter only two MAC addresses, the port will accept the first two non-specified devices it detects, along with the two specifically authorized devices. Learned addresses that become authorized do not age-out. See also Retention of static addresses.
Specifies whether an SNMP trap is sent to a network management station when Learn Mode is set to static and the port detects an unauthorized device, or when Learn Mode is set to continuous and there is an address change on a port.
none
: Prevents an SNMP trap from being sent.none
is the default value.
send-alarm
: Sends an intrusion alarm. Causes the switch to send an SNMP trap to a network management station.
send-disable
: Sends alarm and disables the port. Available only in thestatic
,port-access
,configured
, orlimited learn
modes. Causes the switch to send an SNMP trap to a network management station and disable the port. If you subsequently re-enable the port without clearing the port's intrusion flag, the port blocks further intruders, but the switch will not disable the port again until you reset the intrusion flag. See the Note on Keeping the intrusion log current by resetting alert flags.For information on configuring the switch for SNMP management, see the Management and Configuration Guide for your switch.
Clears the intrusion flag for a specific port, see Reading intrusion alerts and resetting alert flags.
Static MAC addresses do not age-out. MAC addresses learned by using learn-mode continuous
or learn-mode limited-continuous
age out according to the currently configured MAC age time. For information on the mac-age-time
command, see "Interface Access and System Information" in the Management and Configuration Guide for your switch.
In the following two cases, a port in Static learn mode retains a learned MAC address even if you later reboot the switch or disable port security for that port:
-
The port learns a MAC address after you configure the port for Static learn mode in both the startup-config file and the running-config file (by executing the
write memory
command). -
The port learns a MAC address after you configure the port for Static learn mode in only the running-config file and, after the address is learned, you execute
write memory
to configure the startup-config file to match the running-config file.
To remove an address learned using either of the preceding methods, do one of the following:
-
Delete the address by using
no port-security <
.port-number
> mac-address <mac-addr
> -
Download a configuration file that does not include the unwanted MAC address assignment.
-
Reset the switch to its factory-default configuration.
If you manually assign a MAC address (using port-security <
) and then execute write memory, the assigned MAC address remains in memory until you do one of the following:port-number
> address-list <mac-addr
>
-
Delete it by using
no port-security <
port-number
> mac-address <mac-addr
> -
Download a configuration file that does not include the unwanted MAC address assignment.
-
Reset the switch to its factory-default configuration.
This example configures port A1 to automatically accept the first device (MAC address) it detects as the only authorized device for that port. (The default device limit is 1.) It also configures the port to send an alarm to a network management station and disable itself if an intruder is detected on the port.
HP Switch(config)# port-security a1 learn-mode static action send-disable
The next example does the same as the preceding example, except that it specifies a MAC address of 0c0090-123456 as the authorized device instead of allowing the port to automatically assign the first device it detects as an authorized device.
HP Switch(config)# port-security a1 learn-mode static mac-address 0c0090-123456 action send-disable
This example configures port A5 to:
-
Allow two MAC addresses, 00c100-7fec00 and 0060b0-889e00, as the authorized devices.
-
Send an alarm to a management station if an intruder is detected on the port, but allow the intruder access to the network.
HP Switch(config)# port-security a5 learn-mode static address-limit 2 mac-address 00c100-7fec00 0060b0-889e00 action send-alarm
If you manually configure authorized devices (MAC addresses) and/or an alarm action on a port, those settings remain unless you either manually change them or the switch is reset to its factory-default configuration. You can “turn off” authorized devices on a port by configuring the port to continuous Learn Mode, but subsequently reconfiguring the port to static Learn Mode restores those authorized devices.
To simply add a device (MAC address) to a port’s existing Authorized Addresses list, enter the port number with the mac-address
parameter and the device’s MAC address. This assumes that Learn Mode is set to static
and the Authorized Addresses list is not full (as determined by the current Address Limit value). For example, suppose port A1 allows two authorized devices, but has only one device in its Authorized Address list:
With the above configuration for port A1, the following command adds the 0c0090-456456 MAC address as the second authorized address.
HP Switch(config)# port-security a1 mac-address 0c0090- 456456
After executing the above command, the security configuration for port A1 would be:
(The message Inconsistent value
appears if the new MAC address exceeds the current Address Limit or specifies a device that is already on the list. Note that if you change a port from static to continuous learn mode, the port retains in memory any authorized addresses it had while in static mode. If you subsequently attempt to convert the port back to static mode with the same authorized address(es), the Inconsistent value
message appears because the port already has the address(es) in its “Authorized” list.)
If you are adding a device (MAC address) to a port on which the Authorized Addresses list is already full (as controlled by the port’s current Address Limit setting), then you must increase the Address Limit in order to add the device, even if you want to replace one device with another. Using the CLI, you can simultaneously increase the limit and add the MAC address with a single command. For example, suppose port A1 allows one authorized device and already has a device listed:
Port security on port A1 with an address limit of “1”
HP Switch(config)# show port-security 1 Port Security Port : 1 Learn Mode [Continuous] : Static Address Limit [1] : 2 Action [None] : None Eavesdrop Prevention [Enabled] : Enabled Authorized Addresses -------------------- 0c0090-123456 0c0090-456456
To add a second authorized device to port A1, execute a port-security
command for port A1 that raises the address limit to 2 and specifies the additional device’s MAC address. For example:
HP Switch(config)# port-security a1 mac-address 0c0090- 456456 address-limit 2
This command option removes unwanted devices (MAC addresses) from the Authorized Addresses list. (An Authorized Address list is available for each port for which Learn Mode is currently set to “Static”. See the Command syntax listing under Configuring port security.
|
|
CAUTION: When learn mode is set to static, the Address Limit (address-limit) parameter controls how many devices are allowed in the Authorized Addresses ( |
|
|
To remove a device (MAC address) from the “Authorized” list and when the current number of devices equals the Address Limit value, you should first reduce the Address Limit value by 1, then remove the unwanted device.
|
|
NOTE: You can reduce the address limit below the number of currently authorized addresses on a port. This enables you to subsequently remove a device from the “Authorized” list without opening the possibility for an unwanted device to automatically become authorized. |
|
|
For example, suppose port A1 is configured as shown below and you want to remove 0c0090-123456 from the Authorized Address list:
The following command serves this purpose by removing 0c0090-123456 and reducing the Address Limit to 1:
HP Switch(config)# port-security a1 address-limit 1 HP Switch(config)# no port-security a1 mac-address 0c0090-123456
The above command sequence results in the following configuration for port A1:
The following options allow learned MAC addresses to be removed from the MAC address table as follows:
This functionality is also supported by SNMP.
Use the following commands to clear learned MAC addresses from a port or list of ports, a specific VLAN, or to clear a specific MAC address from a VLAN.
Syntax:
Removes MAC addresses that were learned on the specified port or ports in <
> . Use
port-list
all
to remove all MAC addresses in the MAC address table.HP Switch(config)# clear mac-address port 4-7
Syntax:
Removes all MAC addresses that were learned on the specified VLAN.
HP Switch(config)# clear mac-address vlan 2
Syntax:
Removes the specified MAC address from the specified VLAN.
HP Switch(config)# clear mac-address vlan 2 mac 0001e6-b197a8
To view the results from clearing a MAC address, use the show mac-address
command with the appropriate option.
A MAC address cleared from the MAC Address Table
HP Switch(config)# show mac-address vlan 2 Status and Counters - Address Table - VLAN 2 MAC Address Located on Port ------------- --------------- 00000c-07ac00 2 000102-03db12 2 0001e6-b197a8 2 HP Switch(config)# clear mac-address vlan 2 mac 0001e6-b197a8 HP Switch(config)# show mac-address vlan 2 Status and Counters - Address Table - VLAN 2 MAC Address Located on Port ------------- --------------- 00000c-07ac00 2 000102-03db12 2