Chapter 1 Port
Security Configuration
When configuring port security, go to these
sections for information you are interested in:
l
Introduction
to Port Security
l
Port
Security Configuration Task List
l
Displaying
and Maintaining Port Security
l
Port Security
Configuration Examples
l
Troubleshooting
Port Security
Port security is a MAC address-based
security mechanism for network access controlling. It is an extension to the
existing 802.1x authentication and MAC authentication. It controls the access
of unauthorized devices to the network by checking the source MAC address of an
inbound frame and the access to unauthorized devices by checking the
destination MAC address of an outbound frame.
With port security, you can define various
port security modes to make a device learn only legal source MAC addresses, so
that you can implement different network security management as needed. When a
port security-enabled device detects an illegal frame, it triggers the
corresponding port security feature and takes a pre-defined action
automatically. This reduces your maintenance workload and greatly enhances
system security.
The following types of frames are
classified as illegal:
l
Received frames with unknown source MAC
addresses when MAC address learning is disabled.
l
Received frames with unknown source MAC
addresses when the number of MAC addresses learned by the port has already
reached the upper limit.
l
Frames from unauthenticated users.
I. NTK
The need to know (NTK) feature checks the destination
MAC addresses in outbound frames and allows frames to be sent to only devices
passing authentication, thus preventing illegal devices from intercepting
network traffic.
II. Intrusion protection
The intrusion protection feature checks the
source MAC addresses in inbound frames and takes a pre-defined action
accordingly upon detecting illegal frames. The action may be disabling the port
temporarily, disabling the port permanently, or blocking frames with the MAC
address for three minutes (unmodifiable).
III. Trap
The trap feature enables the device to send
trap messages upon detecting specified frames that result from, for example,
intrusion or user login/logout operations, helping you monitor special
activities.
Table 1-1 details the
port security modes.
Table 1-1 Port security modes
|
Security mode
|
Description
|
Features
|
|
noRestrictions
|
Port security is disabled on the port and
access to the port is not restricted.
|
In this mode, neither the NTK nor the intrusion protection feature is triggered.
|
|
autoLearn
|
In this mode, a port can learn a
specified number of MAC addresses and save those addresses as secure MAC
addresses. It permits only frames whose source MAC addresses are secure MAC
addresses or static MAC addresses configured by using the mac-address
static command.
When the number of secure MAC addresses
reaches the upper limit, the port changes to work in secure mode.
|
In either mode, the device will trigger
NTK and intrusion protection upon detecting an illegal frame.
|
|
secure
|
In this mode, a port is disabled from
learning MAC addresses and permits only frames whose source MAC addresses are
secure MAC addresses or static MAC addresses configured by using the mac-address
static command.
|
|
userLogin
|
In this mode, a port performs 802.1x
authentication of users in portbased mode.
|
In this mode, neither NTK nor intrusion
protection will be triggered.
|
|
userLoginSecure
|
In this mode, a port performs 802.1x
authentication of users in portbased mode and services only one user
passing 802.1x authentication.
|
In any of these modes, the device will trigger
NTK and intrusion protection upon detecting an illegal frame.
|
|
userLoginWithOUI
|
Similar to the userLoginSecure mode, a
port in this mode performs 802.1x authentication of users and services only
one user passing 802.1x authentication.
A MAC address being a specified OUI
(organizationally unique identifier) are also allowed on the port.
|
|
macAddressWithRadius
|
In this mode, a port performs MAC
authentication of users.
|
|
macAddressOrUserLoginSecure
|
This mode is the combination of the userLoginSecure
and macAddressWithRadius modes, with 802.1x authentication having a higher
priority.
the port performs MAC authentication upon
receiving non-8021.x frames and performs 802.1x authentication first upon
receiving 802.1x frames. If 802.1x authentication fails, the port performs
MAC authentication.
|
|
macAddressElseUserLoginSecure
|
This mode is the combination of the
macAddressWithRadius and userLoginSecure modes, with MAC authentication
having a higher priority.
l
Upon receiving a non-802.1x frame, a port in
this mode performs only MAC authentication.
l
Upon receiving an 802.1x frame, the port
performs MAC authentication and then, if MAC authentication fails, 802.1x
authentication.
|
|
userLoginSecureExt
|
In this mode, a port performs 802.1x authentication
of users in macbased mode and supports multiple concurrent users.
|
|
macAddressOrUserLoginSecureExt
|
This mode is similar to
macAddressOrUserLoginSecure mode. The difference is that this mode allows a
port to support multiple 802.1x and MAC authentication users.
|
|
macAddressElseUserLoginSecureExt
|
This mode is similar to
macAddressElseUserLoginSecure mode. The difference is that this mode allows a
port to support multiple 802.1x and MAC authentication users.
|
l
Currently, port security supports two
authentication methods: 802.1x and MAC authentication. Different port security
modes employ different authentication method or different combinations of
authentication methods.
l
The maximum number of authenticated users that a
port can support is the smaller one between the maximum number of secure MAC
addresses and the maximum number of concurrent users that the mode of the port
supports.
Complete the following tasks to configure
port security:
1.3 Enabling Port Security
Before enabling port security, you need to
disable 802.1x and MAC authentication globally.
Follow these steps to enable port security:
|
To do…
|
Use the command…
|
Remarks
|
|
Enter system view
|
system-view
|
—
|
|
Enable port security
|
port-security enable
|
Required
Disabled by default
|
Note that:
1)
Enabling port security resets the following
configurations on a port to the defaults bracketed, making them dependent
completely on the port security mode:
l
802.1x (disabled), port access control method (macbased),
and port access control mode (auto)
l
MAC authentication (disabled)
2)
Disabling port security resets the following
configurations on a port to the defaults bracketed:
l
Port security mode (noRestrictions)
l
802.1x (disabled), port access control method (macbased),
and port access control mode (auto)
l
MAC authentication (disabled)
3)
Port security cannot be disabled if there is any
user present on a port.
For configuration
information about 802.1x authentication and MAC authentication, refer to 802.1x-HABP-MAC
Authentication Configuration.
With port security enabled, more than one
authenticated user is allowed on a port. The number of authenticated users
allowed, however, cannot exceed the specified upper limited.
By setting the maximum number of secure MAC
addresses allowed on a port, you can
l
Control the maximum number of users who are
allowed access the network through the port
l
Control the number of secure MAC addresses that
can be added with port security
This configuration is different from that
of the maximum number of MAC addresses that can be leaned by the port in MAC
address management.
Follow these steps to set the maximum
number of secure MAC addresses allowed on a port:
|
To do…
|
Use the command…
|
Remarks
|
|
Enter system view
|
system-view
|
—
|
|
Enter Ethernet port view
|
interface interface-type
interface-number
|
—
|
|
Set the
maximum number of secure MAC addresses allowed on a port
|
port-security
max-mac-count count-value
|
Required
Not
limited by default
|
Before setting the port security mode,
ensure that:
l
802.1x is disabled, the port access control
method is macbased, and the port access control mode is auto.
l
MAC authentication is disabled.
Otherwise, you will see an error message
and your configuration will fail.
On the other hand, after setting the port
security mode on a port, you cannot change any of the above configurations.
l
With port security disabled, you can configure
the port security mode but your configuration does not take effect.
l
With port security enabled, you can change the
port security mode of a port only when the port is operating in noRestrictions mode,
the default mode. You can use the undo port-security port-mode command
to restore the default port security mode.
l
You cannot change the port security mode of a
port when any user is present on the port.
l
Configuration of port security mode and aggregation
are mutually exclusive. You cannot configure both of them on a port.
I. Configuration prerequisites
Before enabling the autoLearn mode, you
need to set the maximum number of secure MAC addresses allowed on the port.
II. Configuration procedure
Follow these steps to enable the autoLearn
mode:
|
To do…
|
Use the command…
|
Remarks
|
|
Enter
system view
|
system-view
|
—
|
|
Enter
Ethernet port view
|
interface interface-type interface-number
|
—
|
|
Enable the autoLearn mode
|
port-security port-mode autolearn
|
Required
By default, a port operates in
noRestrictions mode.
|
When a port
operates in autoLearn mode, you cannot change the maximum number of secure MAC
addresses allowed on the port.
In userLoginWithOUI mode, a port
supports one 802.1x user as well as users whose MAC addresses have an OUI value
among the specified ones.
Follow these steps to enable the
userLoginWithOUI mode:
|
To do…
|
Use the command…
|
Remarks
|
|
Enter system view
|
system-view
|
—
|
|
Set an OUI value for user authentication
|
port-security oui oui-value index index-value
|
Optional
Not configured by default
|
|
Enter Ethernet port view
|
interface interface-type
interface-number
|
—
|
|
Enable the userLoginWithOUI mode
|
port-security port-mode userlogin-withoui
|
Required
By default, a port operates in
noRestrictions mode.
|
l
An organizationally unique identifier (OUI), the
left-most 24 bits of a MAC address, is a globally unique identifier assigned by
IEEE to a certain manufacturer.
l
You can configure multiple OUI values.
Follow these steps to enable any other port
security mode:
|
To do…
|
Use the command…
|
Remarks
|
|
Enter system view
|
system-view
|
—
|
|
Enter Ethernet port view
|
interface interface-type
interface-number
|
—
|
|
Set the port security mode
|
port-security port-mode { mac-authentication | mac-else-userlogin-secure
| mac-else-userlogin-secure-ext | secure | userlogin
| userlogin-secure | userlogin-secure-ext | userlogin-secure-or-mac
| userlogin-secure-or-mac-ext }
|
Required
By default, a port operates in
noRestrictions mode.
|
On a port operating
in either macAddressElseUserLoginSecure mode or
macAddressElseUserLoginSecureExt mode, intrusion protection is triggered only
after both MAC authentication and 802.1x authentication for the same frame
fail.
Follow these steps to configure the NTK
feature:
|
To do…
|
Use the command…
|
Remarks
|
|
Enter system view
|
system-view
|
—
|
|
Enter Ethernet port view
|
interface interface-type
interface-number
|
—
|
|
Configure the NTK feature
|
port-security ntk-mode { ntk-withbroadcasts | ntk-withmulticasts | ntkonly
}
|
Required
Be default, NTK is disabled on a port and
all frames are allowed to be sent.
|
Follow these steps to configure the
intrusion protection feature:
|
To do…
|
Use the command…
|
Remarks
|
|
Enter
system view
|
system-view
|
—
|
|
Enter
Ethernet port view
|
interface interface-type interface-number
|
—
|
|
Configure
the intrusion protection feature
|
port-security
intrusion-mode { blockmac | disableport
| disableport-temporarily }
|
Required
By
default, intrusion protection is disabled.
|
|
Return to system view
|
quit
|
—
|
|
Set the silence timeout during which a
port remains disabled
|
port-security timer disableport time-value
|
Optional
20 seconds by default
|
If you configure
the port-security intrusion-mode command with the disableport-temporarily
keyword, you can use the port-security timer disableport command to set
the silence timeout during which a port remains disabled.
Follow these steps to configure port
security trapping:
