Port security

Basic operation

Default port security operation: The default port security setting for each port is off, or “continuous”. That is, any device can access a port without causing a security reaction.

Intruder protection: A port that detects an "intruder" blocks the intruding device from transmitting to the network through that port.

Eavesdrop protection: Using either the port-security command or the switch WebAgent to enable port security on a given port automatically enables eavesdrop prevention on that port.

General operation for port security: On a per-port basis, you can configure security measures to block unauthorized devices, and to send notice of security violations. Once port security is configured, you can then monitor the network for security violations through one or more of the following:

  • Alert flags that are captured by network management tools such as PCM and PCM+

  • Alert Log entries in the WebAgent

  • Event Log entries in the console interface

  • Intrusion Log entries in the menu interface, CLI, or WebAgent

For any port, you can configure the following:

  • Action: Used when a port detects an intruder. Specifies whether to send an SNMP trap to a network management station and whether to disable the port.

  • Address Limit: Sets the number of authorized MAC addresses allowed on the port.

  • Learn-Mode: Specify how the port acquires authorized addresses.

    • Limited-Continuous: Sets a finite limit (1-32) to the number of learned addresses allowed per port.

    • Continuous: Allows the port to learn addresses from inbound traffic from any connected device. This is the default setting.

    • Static: Enables you to set a fixed limit on the number of MAC addresses authorized for the port and to specify some or all of the authorized addresses. (If you specify only some of the authorized addresses, the port learns the remaining authorized addresses from the traffic it receives from connected devices.)

    • Configured: Requires that you specify all MAC addresses authorized for the port. The port is not allowed to learn addresses from inbound traffic.

  • Authorized (MAC) Addresses: Specify up to eight devices (MAC addresses) that are allowed to send inbound traffic through the port. This feature:

    • Closes the port to inbound traffic from any unauthorized devices that are connected to the port.

    • Provides the option for sending an SNMP trap notifying of an attempted security violation to a network management station and, optionally, disables the port. (For more on configuring the switch for SNMP management, see "Trap receivers and authentication traps" in the Management and Configuration Guide for your switch.)

  • Port Access: Allows only the MAC address of a device authenticated through the switch 802.1X Port-Based access control.

Eavesdrop Prevention

Configuring port security on a given switch port automatically enables Eavesdrop Prevention for that port. This prevents use of the port to flood unicast packets addressed to MAC addresses unknown to the switch and blocks unauthorized users from eavesdropping on traffic intended for addresses that have aged-out of the switch address table. (Eavesdrop Prevention does not affect multicast and broadcast traffic; the switch floods these two traffic types out a given port regardless of whether port security is enabled on that port.)

Disabling Eavesdrop Prevention

Traffic with an unknown destination address is blocked when port security is configured and Eavesdrop Prevention is enabled. You can disable Eavesdrop Prevention on ports where it may cause problems, such as on ports that are configured to use limited-continuous learning mode. See Configuring port security for more information on learning modes.

Feature interactions when Eavesdrop Prevention is disabled

The following table explains the various interactions between learning modes and Eavesdrop Prevention when Eavesdrop Prevention is disabled.


[NOTE: ]

NOTE: When the learning mode is "port-access", Eavesdrop Prevention will not be applied to the port. However, it can still be configured or disabled for the port.


Learn – Effect

Learn mode Effect
Static When Eavesdrop Prevention is disabled, the port transmits packets that have unknown destination addresses. The port is secured and only a limited number of static MAC addresses are learned. A device must generate traffic before the MAC address is learned and traffic is forwarded to it.
Continuous The default. The Eavesdrop Prevention option does not apply because port security is disabled. Ports forward traffic with unknown destination addresses normally.
Port-access Disabling Eavesdrop Prevention is not applied to the port. There is no change.
Limited-continuous When Eavesdrop Prevention is disabled, the port transmits packets that have unknown destination addresses. The port is secured; MAC addresses age normally. Eavesdrop Prevention may cause difficulties in learning MAC addresses (as with static MAC addresses) and cause serious traffic issues when a MAC ages out.
Configured When Eavesdrop Prevention is disabled, the port transmits packets that have unknown destination addresses. The port is secured by a static MAC address. Eavesdrop Prevention should not cause any issues because all valid MAC addresses have been configured.
Syntax:

[no]port-security <port-list> eavesdrop-prevention

When this option is enabled, the port is prevented from transmitting packets that have unknown destination addresses. Only devices attached to the port receive packets intended for them. This option does not apply to a learning mode of port-access or continuous. Default: Enabled

The show port-security command displaying Eavesdrop Prevention

HP Switch(config)# show port-security

 Port Security

  Port   Learn Mode    | Action           Eavesdrop Prevention
  ------ ------------- + ---------------- --------------------
  1      Continuous    | None             Enabled
  2      Continuous    | None             Enabled
  3      Continuous    | None             Enabled
  4      Continuous    | None             Enabled
  5      Continuous    | None             Enabled

MIB Support

The following MIB support is provided for Eavesdrop Prevention.

hpSecPtPreventEavesdrop OBJECT-TYPE
SYNTAX INTEGER {
enable (1),
disable (2)
}
MAX-ACCESS read-write
STATUS current
DESCRIPTION “If enabled on a switch, outbound unknown unicast
packets will not be forwarded out this port. If
enabled on a repeater, outbound unknown unicast
packets for this port will be scrambled.::= { hpSecurePortEntry 5 }

Blocked unauthorized traffic

Unless you configure the switch to disable a port on which a security violation is detected, the switch security measures block unauthorized traffic without disabling the port. This implementation enables you to apply the security configuration to ports on which hubs, switches, or other devices are connected, and to maintain security while also maintaining network access to authorized users. For example:

How port security controls access

How port security controls access

[NOTE: ]

NOTE: Broadcast and Multicast traffic is always allowed, and can be read by intruders connected to a port on which you have configured port security.


Trunk group exclusion

Port security does not operate on either a static or dynamic trunk group. If you configure port security on one or more ports that are later added to a trunk group, the switch will reset the port security parameters for those ports to the factory-default configuration. (Ports configured for either Active or Passive LACP, and which are not members of a trunk, can be configured for port security.)

Planning port security

  1. Plan your port security configuration and monitoring according to the following:

    1. On which ports do you want port security?

    2. Which devices (MAC addresses) are authorized on each port?

    3. For each port, what security actions do you want? (The switch automatically blocks intruders detected on that port from transmitting to the network.) You can configure the switch to (1) send intrusion alarms to an SNMP management station and to (2) optionally disable the port on which the intrusion was detected.

    4. How do you want to learn of the security violation attempts the switch detects? You can use one or more of these methods:

      • Through network management (That is, do you want an SNMP trap sent to a net management station when a port detects a security violation attempt?)

      • Through the switch Intrusion Log, available through the CLI, menu, and WebAgent

      • Through the Event Log (in the menu interface or through the CLI show log command)

  2. Use the CLI or WebAgent to configure port security operating and address controls.

Port security command options and operation

This section describes the CLI port security command and how the switch acquires and maintains authorized addresses.


[NOTE: ]

NOTE: Use the global configuration level to execute port-security configuration commands.


Displaying port security settings

Syntax:

show port-security

show port-security <port-number>

show port-security [<port-number>-<port-number>]...[,<port-number>]

The CLI uses the same command to provide two types of port security listings:

  • All ports on the switch with their Learn Mode and (alarm) Action

  • Only the specified ports with their Learn Mode, Address Limit, (alarm) Action, and Authorized Addresses

Without port parameters, show port-security displays Operating Control settings for all ports on a switch.

Port security listing (ports 7 and 8 show the default setting)

HP Switch(config)# show port-security
 
 Port Security

  Port Learn Mode  | Action                   Eavesdrop Prevention
  ---- ----------- + ------------------------ --------------------
  1    Continuous  | Send Alarm, Disable Port Enabled
  2    Continuous  | Send Alarm, Disable Port Enabled
  3    Static      | Send Alarm               Enabled
  4    Continuous  | Send Alarm, Disable Port Enabled
  5    Continuous  | Send Alarm, Disable Port Enabled
  6    Continuous  | Send Alarm, Disable Port Enabled
  7    Continuous  | None                     Enabled
  8    Continuous  | None                     Enabled

With port numbers included in the command, show port-security displays Learn Mode, Address Limit, (alarm) Action, and Authorized Addresses for the specified ports on a switch. The following example lists the full port security configuration for a single port:

The port security configuration display for a single port

HP Switch(config)# show port-security 3

 Port Security

  Port : 3
  Learn Mode [Continuous] : Static   Address Limit [1] : 1
  Action [None] : None
  Eavesdrop Prevention [Enabled] : Enabled
  
  Authorized Addresses
  --------------------
  00906d-fdcc00

The next example shows the option for entering a range of ports, including a series of non-contiguous ports. Note that no spaces are allowed in the port number portion of the command string:

Entering a range of ports

HP Switch(config)# show port-security 1-3,6,8

Listing authorized and detected MAC addresses

Syntax:

show mac-address [port-list|mac-address|vlan <vid>]

Without an optional parameter, show mac-address lists the authorized MAC addresses that the switch detects on all ports.

mac-address: Lists the specified MAC address with the port on which it is detected as an authorized address.

port list: Lists the authorized MAC addresses detected on the specified port(s).

vlan <vid>: Lists the authorized MAC addresses detected on ports belonging to the specified VLAN.

Show mac-address outputs

HP Switch(config)# show mac-address
 Status and Counters - Port Address Table

  MAC Address   Port  VLAN
  ------------- ----- ----
  00000c-07ac00 7     1
  0000aa-9c09cb 7     1
  000102-f215c7 5     100
        .
  0018fe-a5e504 1     222

HP Switch(config)# show mac-address 7
 Status and Counters - Port Address Table - 7

  MAC Address   VLANs
  ------------- ------------
  00000c-07ac00 1
  0000aa-9c09cb 1

HP Switch(config)# show mac-address 00000c-07ac00
 Status and Counters - Address Table - 00000c-07ac00

 Port  VLAN
 ----- ----
 5     100

HP Switch(config)# show mac-address vlan 1
 Status and Counters - Address Table - VLAN 1

  MAC Address   Port
  ------------- -----
  00000c-07ac00 1
  000050-53c774 1
        .
  0000aa-9c09cb 1

Configuring port security

Using the CLI, you can:

  • Configure port security and edit security settings.

  • Add or delete devices from the list of authorized addresses for one or more ports.

  • Clear the Intrusion flag on specific ports.

Syntax:

port-security

[e]<port-list> <learn-mode|address-limit|mac-address|action|clear-intrusion-flag>

<port-list>: Specifies a list of one or more ports to which the port-security command applies.

learn-mode <continuous|static|port-access|configured|limited-continuous>

For the specified port:

  • Identifies the method for acquiring authorized addresses.

  • On switches covered in this guide, automatically invokes eavesdrop protection, see Eavesdrop Prevention.

continuous: (Default): Appears in the factory-default setting or when you execute no port-security. Allows the port to learn addresses from the device(s) to which it is connected. In this state, the port accepts traffic from any device(s) to which it is connected. Addresses learned in the learn continuous mode will "age out" and be automatically deleted if they are not used regularly. The default age time is five minutes.

Addresses learned this way appear in the switch and port address tables and age out according to the MAC Age Interval in the System Information configuration screen of the Menu interface or the show system information listing. You can set the MAC age out time using the CLI, SNMP, Web, or menu interfaces. For more information on the mac-age-time command see "Interface Access and System Information" in the Management and Configuration Guide for your switch.

static: Enables you to use the mac-address parameter to specify the MAC addresses of the devices authorized for a port, and the address-limit parameter (explained below) to specify the number of MAC addresses authorized for the port. You can authorize specific devices for the port, while still allowing the port to accept other, non-specified devices until the device limit has been reached. That is, if you enter fewer MAC addresses than you authorized, the port authorizes the remaining addresses in the order in which it automatically learns them.

For example, if you use address-limit to specify three authorized devices, but use mac-address to specify only one authorized MAC address, the port adds the one specifically authorized MAC address to its authorized-devices list and the first two additional MAC addresses it detects.

If, for example:

You use mac-address to authorize MAC address 0060b0-880a80 for port A4.

You use address-limit to allow three devices on port A4 and the port detects these MAC addresses:

  1. 080090-1362f2

  2. 00f031-423fc1

  3. 080071-0c45a1

  4. 0060b0-880a80 (the address you authorized with the mac-address parameter)

In this example port A4 would assume the following list of authorized addresses:

080090-1362f2 (the first address the port detected)

00f031-423fc1 (the second address the port detected)

0060b0-880a80 (the address you authorized with the mac-address parameter)

The remaining MAC address detected by the port, 080071-0c45a1, is not allowed and is handled as an intruder. Learned addresses that become authorized do not age-out. See also Retention of static addresses.


[CAUTION: ]

CAUTION: Using the static parameter with a device limit greater than the number of MAC addresses specified with mac-address can allow an unwanted device to become "authorized". This is because the port, to fulfill the number of devices allowed by the address-limit parameter (see below), automatically adds devices it detects until it reaches the specified limit.



[NOTE: ]

NOTE: If 802.1X port-access is configured on a given port, then port-security learn-mode must be set to either continuous (the default) or port-access.


port-access: Enables you to use Port Security with (802.1X) Port-Based Access Control.

configured: Must specify which MAC addresses are allowed for this port. Range is 1 (default) to 64 and addresses are not ageable. Addresses are saved across reboots.

limited-continuous: Also known as MAC Secure, or "limited" mode. The limited parameter sets a finite limit to the number of learned addresses allowed per port. (You can set the range from 1, the default, to a maximum of 32 MAC addresses which may be learned by each port.)

All addresses are ageable, meaning they are automatically removed from the authorized address list for that port after a certain amount of time. Limited mode and the address limit are saved across reboots, but addresses which had been learned are lost during the reboot process.

Addresses learned in the limited mode are normal addresses learned from the network until the limit is reached, but they are not configurable. (You cannot enter or remove these addresses manually if you are using learn-mode with the limited-continuous option.)

Addresses learned this way appear in the switch and port address tables and age out according to the MAC Age Interval in the System Information configuration screen of the Menu interface or the show system information listing. You can set the MAC age out time using the CLI, SNMP, Web, or menu interfaces. For more on the mac-age-time command, see "Interface Access and System Information" in the Management and Configuration Guide for your switch. To set the learn-mode to limited use this Command syntax:

port-security <port-list> learn-mode limited address-limit <1..64> action <none|send-alarm|send-disable>

The default address-limit is 1 but may be set for each port to learn up to 64 addresses.

The default action is none.

To see the list of learned addresses for a port use the command:

show mac <port-list>

address-limit <integer>

When learn-mode is set to static, configured, or limited-continuous, the address-limit parameter specifies how many authorized devices (MAC addresses) to allow. Range: 1 (the default) to 8 for static and configured modes. For learn-mode with the limited-continuous option, the range is 1-64 addresses.

Available for learn-mode with the, static, configured, or limited-continuous option. Allows up to eight authorized devices (MAC addresses) per port, depending on the value specified in the address-limit parameter. The mac-address limited-continuous mode allows up to 64 authorized MAC addresses per port.

If you use mac-address with static, but enter fewer devices than you specified in the address-limit field, the port accepts not only your specified devices, but also as many other devices as it takes to reach the device limit. For example, if you specify four devices, but enter only two MAC addresses, the port will accept the first two non-specified devices it detects, along with the two specifically authorized devices. Learned addresses that become authorized do not age-out. See also Retention of static addresses.

action <none|send-alarm|send-disable>

Specifies whether an SNMP trap is sent to a network management station when Learn Mode is set to static and the port detects an unauthorized device, or when Learn Mode is set to continuous and there is an address change on a port.

none: Prevents an SNMP trap from being sent. none is the default value.

send-alarm: Sends an intrusion alarm. Causes the switch to send an SNMP trap to a network management station.

send-disable: Sends alarm and disables the port. Available only in the static, port-access, configured, or limited learn modes. Causes the switch to send an SNMP trap to a network management station and disable the port. If you subsequently re-enable the port without clearing the port's intrusion flag, the port blocks further intruders, but the switch will not disable the port again until you reset the intrusion flag. See the Note on Keeping the intrusion log current by resetting alert flags.

For information on configuring the switch for SNMP management, see the Management and Configuration Guide for your switch.

clear-intrusion-flag

Clears the intrusion flag for a specific port, see Reading intrusion alerts and resetting alert flags.

no port-security <port-list> mac-address <mac-addr>[<mac-addr> <mac-addr>]

Removes any specified learned MAC addresses from the specified port.

Retention of static addresses

Static MAC addresses do not age-out. MAC addresses learned by using learn-mode continuous or learn-mode limited-continuous age out according to the currently configured MAC age time. For information on the mac-age-time command, see "Interface Access and System Information" in the Management and Configuration Guide for your switch.

Learned addresses

In the following two cases, a port in Static learn mode retains a learned MAC address even if you later reboot the switch or disable port security for that port:

  • The port learns a MAC address after you configure the port for Static learn mode in both the startup-config file and the running-config file (by executing the write memory command).

  • The port learns a MAC address after you configure the port for Static learn mode in only the running-config file and, after the address is learned, you execute write memory to configure the startup-config file to match the running-config file.

To remove an address learned using either of the preceding methods, do one of the following:

  • Delete the address by using no port-security <port-number> mac-address <mac-addr>.

  • Download a configuration file that does not include the unwanted MAC address assignment.

  • Reset the switch to its factory-default configuration.

Assigned/authorized addresses

If you manually assign a MAC address (using port-security <port-number> address-list <mac-addr>) and then execute write memory, the assigned MAC address remains in memory until you do one of the following:

  • Delete it by using no port-security <port-number> mac-address <mac-addr>

  • Download a configuration file that does not include the unwanted MAC address assignment.

  • Reset the switch to its factory-default configuration.

Specifying authorized devices and intrusion responses

This example configures port A1 to automatically accept the first device (MAC address) it detects as the only authorized device for that port. (The default device limit is 1.) It also configures the port to send an alarm to a network management station and disable itself if an intruder is detected on the port.

HP Switch(config)# port-security a1 learn-mode static
action send-disable

The next example does the same as the preceding example, except that it specifies a MAC address of 0c0090-123456 as the authorized device instead of allowing the port to automatically assign the first device it detects as an authorized device.

HP Switch(config)# port-security a1 learn-mode static
mac-address 0c0090-123456 action send-disable

This example configures port A5 to:

  • Allow two MAC addresses, 00c100-7fec00 and 0060b0-889e00, as the authorized devices.

  • Send an alarm to a management station if an intruder is detected on the port, but allow the intruder access to the network.

HP Switch(config)# port-security a5 learn-mode static
address-limit 2 mac-address 00c100-7fec00 0060b0-889e00
action send-alarm

If you manually configure authorized devices (MAC addresses) and/or an alarm action on a port, those settings remain unless you either manually change them or the switch is reset to its factory-default configuration. You can “turn off” authorized devices on a port by configuring the port to continuous Learn Mode, but subsequently reconfiguring the port to static Learn Mode restores those authorized devices.

Adding an authorized device to a port

To simply add a device (MAC address) to a port’s existing Authorized Addresses list, enter the port number with the mac-address parameter and the device’s MAC address. This assumes that Learn Mode is set to static and the Authorized Addresses list is not full (as determined by the current Address Limit value). For example, suppose port A1 allows two authorized devices, but has only one device in its Authorized Address list:

Adding an authorized device to a port

Adding an authorized device to a port

With the above configuration for port A1, the following command adds the 0c0090-456456 MAC address as the second authorized address.

HP Switch(config)# port-security a1 mac-address 0c0090-
456456

After executing the above command, the security configuration for port A1 would be:

Adding a second authorized device to a port

Adding a second authorized device to a port

(The message Inconsistent value appears if the new MAC address exceeds the current Address Limit or specifies a device that is already on the list. Note that if you change a port from static to continuous learn mode, the port retains in memory any authorized addresses it had while in static mode. If you subsequently attempt to convert the port back to static mode with the same authorized address(es), the Inconsistent value message appears because the port already has the address(es) in its “Authorized” list.)

If you are adding a device (MAC address) to a port on which the Authorized Addresses list is already full (as controlled by the port’s current Address Limit setting), then you must increase the Address Limit in order to add the device, even if you want to replace one device with another. Using the CLI, you can simultaneously increase the limit and add the MAC address with a single command. For example, suppose port A1 allows one authorized device and already has a device listed:

Port security on port A1 with an address limit of “1”

HP Switch(config)# show port-security 1
 Port Security

 Port : 1
 Learn Mode [Continuous] : Static Address Limit [1] : 2
 Action [None] : None
 Eavesdrop Prevention [Enabled] : Enabled

 Authorized Addresses
 --------------------
 0c0090-123456
 0c0090-456456

To add a second authorized device to port A1, execute a port-security command for port A1 that raises the address limit to 2 and specifies the additional device’s MAC address. For example:

HP Switch(config)# port-security a1 mac-address 0c0090-
456456 address-limit 2

Removing a device from the “authorized” list for a port

This command option removes unwanted devices (MAC addresses) from the Authorized Addresses list. (An Authorized Address list is available for each port for which Learn Mode is currently set to “Static”. See the Command syntax listing under Configuring port security.


[CAUTION: ]

CAUTION: When learn mode is set to static, the Address Limit (address-limit) parameter controls how many devices are allowed in the Authorized Addresses (mac-address) for a given port. If you remove a MAC address from the Authorized Addresses list without also reducing the Address Limit by 1, the port may subsequently detect and accept as authorized a MAC address that you do not intend to include in your Authorized Address list. Thus, if you use the CLI to remove a device that is no longer authorized, it is recommended that you first reduce the Address Limit (address-limit) integer by 1, as shown below. This prevents the possibility of the same device or another unauthorized device on the network from automatically being accepted as “authorized” for that port.


To remove a device (MAC address) from the “Authorized” list and when the current number of devices equals the Address Limit value, you should first reduce the Address Limit value by 1, then remove the unwanted device.


[NOTE: ]

NOTE: You can reduce the address limit below the number of currently authorized addresses on a port. This enables you to subsequently remove a device from the “Authorized” list without opening the possibility for an unwanted device to automatically become authorized.


For example, suppose port A1 is configured as shown below and you want to remove 0c0090-123456 from the Authorized Address list:

Two authorized addresses on port A1

Two authorized addresses on port A1

The following command serves this purpose by removing 0c0090-123456 and reducing the Address Limit to 1:

HP Switch(config)# port-security a1 address-limit 1
HP Switch(config)# no port-security a1 mac-address
0c0090-123456

The above command sequence results in the following configuration for port A1:

Port A1 after removing one MAC address

Port A1 after removing one MAC address

Clear MAC address table

The following options allow learned MAC addresses to be removed from the MAC address table as follows:

  • Remove all MAC addresses.

  • Remove all MAC address on a specified VLAN

  • Remove all MAC addresses on a port

  • Remove a specific MAC address on a specific VLAN

This functionality is also supported by SNMP.

Configuring clearing of learned MAC addresses

Use the following commands to clear learned MAC addresses from a port or list of ports, a specific VLAN, or to clear a specific MAC address from a VLAN.

Syntax:

clear mac-address port <port-list>

Removes MAC addresses that were learned on the specified port or ports in <port-list> . Use all to remove all MAC addresses in the MAC address table.

HP Switch(config)# clear mac-address port 4-7
Syntax:

clear mac-address vlan <vid>

Removes all MAC addresses that were learned on the specified VLAN.

HP Switch(config)# clear mac-address vlan 2
Syntax:

clear mac-address vlan <vid> mac <mac-addr>

Removes the specified MAC address from the specified VLAN.

HP Switch(config)# clear mac-address vlan 2 mac 0001e6-b197a8

To view the results from clearing a MAC address, use the show mac-address command with the appropriate option.

A MAC address cleared from the MAC Address Table

HP Switch(config)# show mac-address vlan 2
 Status and Counters - Address Table - VLAN 2

  MAC Address    Located on Port
  -------------  ---------------
  00000c-07ac00  2
  000102-03db12  2
  0001e6-b197a8  2

HP Switch(config)# clear mac-address vlan 2 mac 0001e6-b197a8

HP Switch(config)# show mac-address vlan 2

 Status and Counters - Address Table - VLAN 2

  MAC Address    Located on Port
  -------------  ---------------
  00000c-07ac00  2
  000102-03db12  2