Chapter 1 Port Security Configuration
When configuring port security, go to these
sections for information you are interested in:
l
Introduction
to Port Security
l
Port
Security Configuration Task List
l
Displaying
and Maintaining Port Security
l
Port Security Configuration
Examples
l
Troubleshooting
Port Security
Port security is a MAC address-based
security mechanism for network access controlling. It is an extension to the
existing 802.1x authentication and MAC authentication. It controls the access
of unauthorized devices to the network by checking the source MAC address of an
inbound frame and the access to unauthorized devices by checking the
destination MAC address of an outbound frame.
With port security, you can define various port
security modes to make a device learn only legal source MAC addresses, so that
you can implement different network security management as needed. When a port security-enabled
device detects an illegal frame, it triggers the corresponding port security
feature and takes a pre-defined action automatically. This reduces your
maintenance workload and greatly enhances system security.
The following types of frames are classified
as illegal:
l
Received frames with unknown source MAC addresses
when MAC address learning is disabled.
l
Received frames with unknown source MAC addresses
when the number of MAC addresses learned by the port has already reached the
upper limit.
l
Frames from unauthenticated users.
I. NTK
The need to know (NTK) feature checks the
destination MAC addresses in outbound frames and allows frames to be sent to only
devices passing authentication, thus preventing illegal devices from intercepting
network traffic.
II. Intrusion protection
The
intrusion protection feature checks the source MAC addresses in inbound frames and
takes a pre-defined action accordingly upon detecting illegal frames. The
action may be disabling the port temporarily, disabling the port permanently, or
blocking frames with the MAC address for three minutes (unmodifiable).
III. Trap
The trap feature enables the device to send
trap messages upon detecting specified frames that result from, for example, intrusion
or user login/logout operations, helping you monitor special activities.
Table 1-1 details the
port security modes.
Table 1-1 Port security modes
|
Security mode
|
Description
|
Features
|
|
noRestrictions
|
Port security is disabled on the port and
access to the port is not restricted.
|
In this mode, neither the NTK nor the intrusion protection feature is triggered.
|
|
autoLearn
|
In this mode, a port can learn a
specified number of MAC addresses and save those addresses as secure MAC
addresses. It permits only frames whose source MAC addresses are secure MAC
addresses or static MAC addresses configured by using the mac-address
static command.
When the number of secure MAC addresses
reaches the upper limit, the port changes to work in secure mode.
|
In either mode, the device will trigger
NTK and intrusion protection upon detecting an illegal frame.
|
|
secure
|
In this mode, a port is disabled from
learning MAC addresses and permits only frames whose source MAC addresses are
secure MAC addresses or static MAC addresses configured by using the mac-address
static command.
|
|
userLogin
|
In this mode, a port performs 802.1x
authentication of users in portbased mode.
|
In this mode, neither NTK nor intrusion
protection will be triggered.
|
|
userLoginSecure
|
In this mode, a port performs 802.1x
authentication of users in portbased mode and services only one user
passing 802.1x authentication.
|
In any of these modes, the device will
trigger NTK and intrusion protection upon detecting an illegal frame.
|
|
userLoginWithOUI
|
Similar to the userLoginSecure mode, a
port in this mode performs 802.1x authentication of users and services only one
user passing 802.1x authentication.
A MAC address being a specified OUI
(organizationally unique identifier) are also allowed on the port.
|
|
macAddressWithRadius
|
In this mode, a port performs MAC
authentication of users.
|
|
macAddressOrUserLoginSecure
|
This mode is the combination of the userLoginSecure
and macAddressWithRadius modes, with 802.1x authentication having a higher
priority.
the port performs MAC authentication upon
receiving non-8021.x frames and performs 802.1x authentication first upon
receiving 802.1x frames. If 802.1x authentication fails, the port performs MAC
authentication.
|
|
macAddressElseUserLoginSecure
|
This mode is the combination of the macAddressWithRadius
and userLoginSecure modes, with MAC authentication having a higher priority.
l
Upon receiving a non-802.1x frame, a port in
this mode performs only MAC authentication.
l
Upon receiving an 802.1x frame, the port
performs MAC authentication and then, if MAC authentication fails, 802.1x
authentication.
|
|
userLoginSecureExt
|
In this mode, a port performs 802.1x
authentication of users in macbased mode and supports multiple concurrent
users.
|
|
macAddressOrUserLoginSecureExt
|
This mode is similar to macAddressOrUserLoginSecure
mode. The difference is that this mode allows a port to support multiple
802.1x and MAC authentication users.
|
|
macAddressElseUserLoginSecureExt
|
This mode is similar to macAddressElseUserLoginSecure
mode. The difference is that this mode allows a port to support multiple
802.1x and MAC authentication users.
|
l
Currently, port security supports two authentication
methods: 802.1x and MAC authentication. Different port security modes employ
different authentication method or different combinations of authentication
methods.
l
The maximum number of authenticated users that a
port can support is the smaller one between the maximum number of secure MAC
addresses and the maximum number of concurrent users that the mode of the port
supports.
Complete the following tasks to configure
port security:
1.3 Enabling Port Security
Before enabling port security, you need to
disable 802.1x and MAC authentication globally.
Follow these steps to enable port security:
|
To do…
|
Use the command…
|
Remarks
|
|
Enter system view
|
system-view
|
—
|
|
Enable port security
|
port-security enable
|
Required
Disabled by default
|
Note that:
1)
Enabling port security resets the following
configurations on a port to the defaults bracketed, making them dependent
completely on the port security mode:
l
802.1x (disabled), port access control method (macbased),
and port access control mode (auto)
l
MAC authentication (disabled)
2)
Disabling port security resets the following
configurations on a port to the defaults bracketed:
l
Port security mode (noRestrictions)
l
802.1x (disabled), port access control method (macbased),
and port access control mode (auto)
l
MAC authentication (disabled)
3)
Port security cannot be disabled if there is any
user present on a port.
For configuration
information about 802.1x authentication and MAC authentication, refer to 802.1x-HABP-MAC
Authentication Configuration.
With port security enabled, more than one
authenticated user is allowed on a port. The number of authenticated users
allowed, however, cannot exceed the specified upper limited.
By setting the maximum number of secure MAC
addresses allowed on a port, you can
l
Control the maximum number of users who are
allowed access the network through the port
l
Control the number of secure MAC addresses that
can be added with port security
This configuration is different from that
of the maximum number of MAC addresses that can be leaned by the port in MAC
address management.
Follow these steps to set the maximum
number of secure MAC addresses allowed on a port:
|
To do…
|
Use the command…
|
Remarks
|
|
Enter system view
|
system-view
|
—
|
|
Enter Ethernet port view
|
interface interface-type
interface-number
|
—
|
|
Set the maximum
number of secure MAC addresses allowed on a port
|
port-security
max-mac-count count-value
|
Required
Not
limited by default
|
Before setting the port security mode, ensure
that:
l
802.1x is disabled, the port access control
method is macbased, and the port access control mode is auto.
l
MAC authentication is disabled.
Otherwise, you will see an error message
and your configuration will fail.
On the other hand, after setting the port
security mode on a port, you cannot change any of the above configurations.
l
With port security disabled, you can configure
the port security mode but your configuration does not take effect.
l
With port security enabled, you can change the
port security mode of a port only when the port is operating in noRestrictions
mode, the default mode. You can use the undo port-security port-mode command
to restore the default port security mode.
l
You cannot change the port security mode of a
port when any user is present on the port.
l
Configuration of port security mode and
aggregation are mutually exclusive. You cannot configure both of them on a
port.
I. Configuration prerequisites
Before enabling the autoLearn mode, you
need to set the maximum number of secure MAC addresses allowed on the port.
II. Configuration procedure
Follow these steps to enable the autoLearn
mode:
|
To do…
|
Use the command…
|
Remarks
|
|
Enter
system view
|
system-view
|
—
|
|
Enter Ethernet
port view
|
interface interface-type interface-number
|
—
|
|
Enable the
autoLearn mode
|
port-security port-mode autolearn
|
Required
By
default, a port operates in noRestrictions mode.
|
When a port
operates in autoLearn mode, you cannot change the maximum number of secure MAC addresses
allowed on the port.
In userLoginWithOUI mode, a port
supports one 802.1x user as well as users whose MAC addresses have an OUI value
among the specified ones.
Follow these steps to enable the
userLoginWithOUI mode:
|
To do…
|
Use the command…
|
Remarks
|
|
Enter system view
|
system-view
|
—
|
|
Set an OUI value for user authentication
|
port-security oui oui-value index index-value
|
Optional
Not configured by default
|
|
Enter Ethernet port view
|
interface interface-type
interface-number
|
—
|
|
Enable the userLoginWithOUI mode
|
port-security port-mode userlogin-withoui
|
Required
By default, a port operates in
noRestrictions mode.
|
l
An organizationally unique identifier (OUI), the
left-most 24 bits of a MAC address, is a globally unique identifier assigned by
IEEE to a certain manufacturer.
l
You can configure multiple OUI values.
Follow these steps to enable any other port
security mode:
|
To do…
|
Use the command…
|
Remarks
|
|
Enter system view
|
system-view
|
—
|
|
Enter Ethernet port view
|
interface interface-type
interface-number
|
—
|
|
Set the port security mode
|
port-security port-mode { mac-authentication | mac-else-userlogin-secure
| mac-else-userlogin-secure-ext | secure | userlogin
| userlogin-secure | userlogin-secure-ext | userlogin-secure-or-mac
| userlogin-secure-or-mac-ext }
|
Required
By default, a port operates in
noRestrictions mode.
|
On a port operating
in either macAddressElseUserLoginSecure mode or
macAddressElseUserLoginSecureExt mode, intrusion protection is triggered only
after both MAC authentication and 802.1x authentication for the same frame
fail.
Follow these steps to configure the NTK
feature:
|
To do…
|
Use the command…
|
Remarks
|
|
Enter system view
|
system-view
|
—
|
|
Enter Ethernet port view
|
interface interface-type
interface-number
|
—
|
|
Configure the NTK feature
|
port-security ntk-mode { ntk-withbroadcasts | ntk-withmulticasts | ntkonly
}
|
Required
Be default, NTK is disabled on a port and
all frames are allowed to be sent.
|
Follow these steps to configure the intrusion
protection feature:
|
To do…
|
Use the command…
|
Remarks
|
|
Enter
system view
|
system-view
|
—
|
|
Enter Ethernet
port view
|
interface interface-type interface-number
|
—
|
|
Configure the
intrusion protection feature
|
port-security
intrusion-mode { blockmac | disableport
| disableport-temporarily }
|
Required
By
default, intrusion protection is disabled.
|
|
Return to system view
|
quit
|
—
|
|
Set the silence timeout during which a
port remains disabled
|
port-security timer disableport time-value
|
Optional
20 seconds by default
|
