Port security is a security mechanism that
controls network access. It is an expansion to the current 802.1x and MAC
address authentication.
Port Security mainly functions to define
various security modes that allow devices to learn legal source MAC addresses
for the corresponding network management purposes. Packets whose source MAC
addresses a device cannot learn in a security mode and packets that fail to
pass 802.1x authentication are considered illegal.
Upon detecting an illegal packet, the
system enables the corresponding feature and handles the packet using the
predefined method. This reduces your maintenance workload and greatly enhances
system security and manageability.
The following port security features are
provided:
1)
NTK: Need to know. By means of checking the
destination MAC addresses in the outbound packets of a given port, NTK can
ensure that only authenticated devices can receive the data packets, and thus
prevent data from being intercepted.
2)
Intrusion Protection: By checking the source MAC
addresses or the username and password for 802.1x authentication in the inbound
packets through a given port, intrusion protection detects illegal packets and
events and takes actions accordingly. These include disconnecting ports
temporarily/permanently and filtering packets with the MAC address, thereby
ensuring port security.
3)
Device Tracking: Refers to the feature that when
certain types of data packets (due to illegal intrusion, improper manner of
logging on and off) are transmitted, the switch will send Trap message to help
the network administrators monitor and control such actions.
1.1.3 Port Security Modes
Table 1-1 details the available port security modes:
Table 1-1 Description
of the port security modes
|
Security mode
|
Description
|
Feature
|
|
autolearn
|
In this mode, the port automatically learns
MAC addresses and changes them to security MAC addresses.
This security mode will automatically
change to the secure mode after the amount of security MAC addresses on
the port reaches the maximum number configured with the port-security max-mac-count
command.
After changing to the secure mode,
only those packets whose source MAC addresses are security
MAC addresses learned or dynamic MAC addresses configured can pass through the
port.
|
In the autolearn and secure mode,
the device enables the NTK and Intrusion Protection features upon detecting
an illegal packet.
|
|
secure
|
In this mode, the port is disabled
from learning MAC addresses.
Only those packets whose source MAC
addresses are security MAC addresses learned or static MAC addresses configured
can pass through the port.
|
|
userlogin
|
In this mode, port-based 802.1x
authentication is performed for connected users.
|
In this mode, the NTK and Intrusion
Protection features are not enabled.
|
|
userlogin-secure
|
The port
is enabled only after the access user passes the 802.1x authentication. Even
after the port is enabled, only the packets of the successfully authenticated
user can pass through the port.
In this
mode, only one 802.1x-authenticated user is allowed to access the port.
When the
port changes from the normal mode to this security mode, the system
automatically removes the existing dynamic MAC address entries and
authenticated MAC address entries on the port.
|
In these
modes, the device enables the NTK and Intrusion Protection features upon
detecting an illegal packet.
|
|
userlogin-withoui
|
This mode
is similar to the userlogin-secure mode, except that there can be one
OUI-carrying MAC address being successfully authenticated in addition to the
single 802.1x-authenticated user who is allowed to access the port.
When the
port changes from the normal mode to this security mode, the system
automatically removes the already existing dynamic/authenticated MAC address
entries on the port.
|
|
mac-authentication
|
In this
mode, MAC address–based authentication is performed for access users.
|
|
userlogin-secure-or-mac
|
In this mode, if either of the mac-authentication
and userlogin-secure modes succeeds, the user passes the authentication.
|
|
mac-else-userlogin-secure
|
In this mode, first the MAC-based
authentication is performed. If this authentication succeeds, the mac-authentication
mode is adopted, or else, the authentication in userlogin-secure mode
is performed.
|
|
userlogin-secure-ext
|
This mode is similar to the userlogin-secure
mode, except that there can be more than one 802.1x-authenticated user on the
port.
|
|
userlogin-secure-or-mac-ext
|
This mode is similar to the userlogin-secure-or-mac
mode, except that there can be more than one 802.1x-authenticated user on the
port.
|
|
mac-else-userlogin-secure-ext
|
This mode is similar to the mac-else-userlogin-secure
mode, except that there can be more than one 802.1x-authenticated user on the
port.
|
l
When a port is working in autolearn or
userlogin-without mode, its Voice VLAN cannot be enabled.
l
When a port is working in mac-else-userlogin-secure-ext
or mac-else-userlogin-secure mode, the Intrusion Protection will be
triggered after both MAC authentication and 802.1x authentication for a packet
are failed.
Table 1-2 Basic port security configuration
|
Operation
|
Command
|
Description
|
|
Enter system view
|
system-view
|
—
|
|
Enable port security
|
port-security enable
|
Required
|
|
Set OUI value for user authentication
|
port-security oui OUI-value index index-value
|
Optional
|
|
Enable the sending of type-specific trap
messages
|
port-security trap { addresslearned | intrusion | dot1xlogon |
dot1xlogoff | dot1xlogfailure | ralmlogon | ralmlogoff |
ralmlogfailure }*
|
Optional
By default, sending of trap messages is
disabled.
|
|
Enter Ethernet port view
|
interface interface-type
interface-number
|
—
|
|
Set the security mode of a port
|
port-security port-mode mode
|
Required
Users can choose the optimal mode as
necessary.
|
|
Set the maximum number of MAC addresses
that can be accommodated by a port
|
port-security max-mac-count count-value
|
Optional
By default, there is no limit on the
number of MAC addresses.
|
|
Set the NTK transmission mode
|
port-security ntk-mode { ntkonly | ntk-withbroadcasts | ntk-withmulticasts
}
|
Required
By default, no packet transmission mode
of the NTK feature is set on the port.
|
|
Set the corresponding action that the
device will take after the Intrusion Protection feature is enabled.
|
port-security intrusion-mode { disableport | disableport-temporarily | blockmac
}
|
Required
No specific intrusion detection mode is
configured by default.
|
|
Configure
not to apply the authorization information delivered by the server on the
current port
|
port-security
authorization ignore
|
Optional
By
default, the authorization information delivered by the server is applied on
the port.
|
|
Return to
system view
|
quit
|
—
|
|
Set the timer for temporarily disabling a
port
|
port-security timer disableport timer
|
Optional
Defaults to 20 seconds.
|
The time set by the
port-security timer disableport timer command is the same as the
time set for temporarily disabling a port while executing the port-security
intrusion-mode command under disableport-temporarily mode.
With the port security enabled, a device
has the following restrictions on the 802.1x authentication and MAC address
authentication in order to prevent conflictions.
1)
The access control mode (set by the dot1x
port-control command) is automatically set to auto.
2)
The dot1x, dot1x port-method, dot1x
port-control, and mac-authentication commands are inapplicable.
l
Refer to the 802.1x module of H3C S5600
Series Ethernet Switches Operation Manual for details on 802.1x
authentication.
l
You cannot add a port that configured port
security feature to a link aggregation group.
l
You cannot configure the port-security
port-mode mode command on a port if the port is in a link
aggregation group.
Security MAC is a special type MAC address
and similar with static MAC address. One Security MAC can only be added to one
port in the same VLAN. Using this feature, you can bind a MAC address with a
port in the same VLAN.
Security MAC can be learned by the
autolearn function of Port-Security feature, and can be configured by the command
or MIB manually.
Before adding Security MAC, you may
configure the port security mode to autolearn and then the MAC address
learning method will change:
l
Original dynamic MAC address will be deleted;
l
If the maximum Security MAC number is not
reached maximum, the new MAC address learned by the port will be added as
Security MAC;
l
If the maximum Security MAC number is reached
maximum, the new MAC address cannot be learned by the port and the port mode
will be changed from autolearn to secure.
The Security MAC
addresses configured are written to the
configuration file; they will not get lost whether the port is up or down.
Security MAC addresses saved in the configuration file can be restored after the switch reboots.
Table 1-3 Configure Security MAC address
|
Operation
|
Command
|
Description
|
|
Enter system view
|
system-view
|
—
|
|
Enable the port security
|
port-security enable
|
Required
|
|
Enter Ethernet port view
|
interface interface-type
interface-number
|
—
|
|
Set the maximum number of Security MAC addresses
allowed by the port
|
port-security max-mac-count count-value
|
Required
By default, the maximum number of
Security MAC addresses is not limited
|
|
Set the port mode to autolearn
|
port-security port-mode autolearn
|
Required
|
|
Add a Security MAC address manually
|
mac-address security mac-address [ interface interface-type interface-number ]
vlan vlan-id
|
Required
This command can be configured either in
system view or Ethernet port view
|
Note that:
1)
The port-security port-mode autolearn command
cannot be configured with the following features at the same time:
l
Static and black-hole MAC address
l
Voice VLAN feature
l
802.1x feature
l
port link aggregation
l
configuration of mirroring reflect port
2)
The port-security max-mac-count count-value
command cannot be configured with the mac-address max-mac-count count.
1.3 Displaying Port Security Configuration
After the above-mentioned configuration,
you can use the display command in any view to view the port-security
related information, so as to verify configuration result.
Table 1-4 Display
port security configuration
|
Operation
|
Command
|
Description
|
|
Display information about port security
configuration
|
display port-security [ interface interface-list ]
|
The display command can be
executed in any view.
|
|
Display information about Security MAC
address configuration
|
display mac-address security [ interface interface-type interface-number ]
[ vlan vlan-id ] [ count ]
|
I. Network requirements
l
Enable port security on port GigabitEthernet1/0/1
of switch A
l
Set the maximum number of the MAC addresses accommodated
by the port to 80
l
Set the port security mode to autolearn
l
Add the MAC address 0001-0002-0003 of PC1 as
Security MAC address to VLAN 1
II. Network diagram
Figure 1-1 Network diagram for port
security configuration
III. Configuration procedure
Configure switch A as follows:
# Enter system view.
<H3C> system-view
# Enable port security.
[H3C] port-security enable
# Enter port view for GigabitEthernet1/0/1.
[H3C] interface GigabitEthernet1/0/1
# Set the maximum number of MAC addresses
accommodate by the port to 80.
[H3C-GigabitEthernet1/0/1]
port-security max-mac-count 80
# Set the port security mode to autolearn.
[H3C-GigabitEthernet1/0/1]
port-security port-mode autolearn
# Add the MAC address 0001-0002-0003 of PC1
as Security MAC to VLAN 1.
[H3C-GigabitEthernet1/0/1] mac-address
security 0001-0002-0003 vlan 1
The network manager may bind the MAC
addresses and IP addresses of legal user to specific port through the port
binding feature. After binding, only the packets with the specified MAC
addresses and IP addresses can be transferred through the port. This greatly
improves the security and manageability of the system.
Table 2-1 Configure
port binding
|
Operation
|
Command
|
Description
|
|
Enter system view
|
system-view
|
—
|
|
Bind the legal MAC addresses and IP
addresses to specific port
|
am user-bind mac-addr mac-address ip-addr ip-address interface interface-type interface-number
|
Optional
|
|
Enter Ethernet port view
|
interface interface-type
interface-number
|
—
|
|
Bind the legal MAC addresses and IP
addresses to current port
|
am user-bind mac-addr mac-address ip-addr ip-address
|
Optional
|
The system allows
only one binding operation for the same MAC address.
After the above-mentioned configuration,
you can use the display command in any view to view the operating state
with the port binding configured, so as to verify configuration result.
Table 2-2 Display
port binding configuration
|
Operation
|
Command
|
Description
|
|
Display the information about port
binding
|
display am user-bind [ interface interface-type interface-number |
mac-addr | ip-addr ]
|
The display command can be
executed in any view.
|
I. Network requirements
In order o prevent illegal use of the IP
address of PC1, you may bind the MAC and IP addresses to GigabitEthernet1/0/1.
II. Network diagram
Figure 2-1 Network diagram for port binding configuration
III. Configuration procedure
Configure switch A as follows:
# Enter system view.
<H3C> system-view
# Enter GigabitEthernet1/0/1 port view.
[H3C] interface GigabitEthernet1/0/1
# Bind the MAC address and the IP address
of PC1 to GigabitEthernet1/0/1.
[H3C-GigabitEthernet1/0/1] am
user-bind mac-addr 0001-0002-0003 ip-addr 10.12.1.1
