When configuring port security, go to these
sections for information you are interested in:
l
Port
Security Overview
l
Port
Security Configuration Task List
l
Displaying
and Maintaining Port Security Configuration
l
Port
Security Configuration Example
Two port security
modes were added: macAddressAndUserLoginSecure and macAddressAndUserLoginSecureExt.
For details, refer to Port
Security Modes.
Port security is a security mechanism for
network access control. It is an expansion to the current 802.1x and MAC
address authentication.
Port security allows you to define various
security modes that enable devices to learn legal source MAC addresses, so that
you can implement different network security management as needed.
With port security enabled, packets whose
source MAC addresses cannot be learned by your switch in a security mode are
considered illegal packets, The events that cannot pass 802.1x authentication
or MAC authentication are considered illegal.
With port security enabled, upon detecting
an illegal packet or illegal event, the system triggers the corresponding port
security features and takes pre-defined actions automatically. This reduces
your maintenance workload and greatly enhances system security and
manageability.
The following port security features are
provided:
l
NTK (need to know) feature: By checking the
destination MAC addresses in outbound data frames on the port, NTK ensures that
the switch sends data frames through the port only to successfully authenticated
devices, thus preventing illegal devices from intercepting network data.
l
Intrusion protection feature: By checking the
source MAC addresses in inbound data frames or the username and password in 802.1x
authentication requests on the port, intrusion protection detects illegal
packets or events and takes a pre-set action accordingly. The actions you can
set include: disconnecting the port temporarily/permanently, and blocking
packets with the MAC address specified as illegal.
l
Trap feature: When special data packets (generated
from illegal intrusion, abnormal login/logout or other special activities) are passing
through the switch port, Trap feature enables the switch to send Trap messages
to help the network administrator monitor special activities.
1.1.3 Port
Security Modes
Table 1-1 describes the
available port security modes:
Table 1-1 Description of port security modes
|
Security mode
|
Description
|
Feature
|
|
noRestriction
|
In this mode, access to the port is not
restricted.
|
In this mode, neither the NTK nor the intrusion protection feature is triggered.
|
|
autolearn
|
In this mode, the port automatically
learns MAC addresses and changes them to security MAC addresses.
This security mode will automatically
change to the secure mode after the amount of security MAC addresses
on the port reaches the maximum number configured with the port-security
max-mac-count command.
After the port security mode is changed to
the secure mode, only those packets whose
source MAC addresses are security MAC addresses learned or dynamic MAC
addresses configured can pass through the port.
|
In either mode, the device will
trigger NTK and intrusion protection upon detecting an illegal packet.
|
|
secure
|
In this mode, the port is disabled from
learning MAC addresses.
Only those packets whose source MAC
addresses are security MAC addresses learned and static or dynamic MAC
addresses can pass through the port.
|
|
userlogin
|
In this mode, port-based 802.1x
authentication is performed for access users.
|
In this mode, neither NTK nor intrusion
protection will be triggered.
|
|
userLoginSecure
|
MAC-based
802.1x authentication is performed on the access user. The port is enabled
only after the authentication succeeds. When the port is enabled, only the
packets of the successfully authenticated user can pass through the port.
In this
mode, only one 802.1x-authenticated user is allowed to access the port.
When the
port changes from the noRestriction mode to this security mode, the
system automatically removes the existing dynamic MAC address entries and
authenticated MAC address entries on the port.
|
In any of these modes, the device
triggers the NTK and Intrusion Protection features upon detecting an illegal
packet or illegal event.
|
|
userLoginSecureExt
|
This mode
is similar to the userLoginSecure mode, except that there can be more
than one 802.1x-authenticated user on the port.
|
|
userLoginWithOUI
|
This mode
is similar to the userLoginSecure mode, except that, besides the
packets of the single 802.1x-authenticated user, the packets whose source MAC
addresses have a particular OUI are also allowed to pass through the port.
When the
port changes from the normal mode to this security mode, the system
automatically removes the existing dynamic/authenticated MAC address entries
on the port.
|
|
macAddressWithRadius
|
In this
mode, MAC address–based authentication is performed for access users.
|
|
macAddressOrUserLoginSecure
|
In this mode, both MAC authentication and
802.1x authentication can be performed, but 802.1x authentication has a
higher priority.
802.1x authentication can still be
performed on an access user who has passed MAC authentication.
No MAC authentication is performed on an
access user who has passed 802.1x authentication.
In this mode, there can be only one
802.1x-authenticated user on the port, but there can be several
MAC-authenticated users.
|
|
macAddressOrUserLoginSecureExt
|
This mode is similar to the macAddressOrUserLoginSecure
mode, except that there can be more than one 802.1x-authenticated user on the
port. .
|
|
macAddressElseUserLoginSecure
|
In this mode, a port performs MAC
authentication of an access user first. If the authentication succeeds, the
user is authenticated. Otherwise, the port performs 802.1x authentication of
the user.
In this mode, there can be only one
802.1x-authenticated user on the port, but there can be several
MAC-authenticated users.
|
|
macAddressElseUserLoginSecureExt
|
This mode is similar to the macAddressElseUserLoginSecure
mode, except that there can be more than one 802.1x-authenticated user on
the port.
|
|
macAddressAndUserLoginSecure
|
In this mode, a port firstly performs MAC
authentication for a user and then performs 802.1x authentication for the
user if the user passes MAC authentication. The user can access the network
after passing the two authentications.
In this mode, up to one user can access
the network.
|
|
macAddressAndUserLoginSecureExt
|
This mode is similar to the macAddressAndUserLoginSecure
mode, except that more than one user can access the network.
|
l
When the port operates in the userlogin-withoui
mode, Intrusion Protection will not be triggered even if the OUI address does
not match.
l
On a port operating in either the macAddressElseUserLoginSecure
mode or the macAddressElseUserLoginSecureExt mode, Intrusion Protection
is triggered only after both MAC-based authentication and 802.1x authentication
on the same packet fail.
Complete the following tasks to configure
port security:
Before enabling port security, you need to
disable 802.1x and MAC authentication globally.
Follow these steps to enable port security:
|
To do...
|
Use the command...
|
Remarks
|
|
Enter system view
|
system-view
|
—
|
|
Enable port security
|
port-security enable
|
Required
Disabled by default
|
Caution:
Enabling port security resets the following configurations on the
ports to the defaults (shown in parentheses below):
l
802.1x (disabled), port access control method (macbased),
and port access control mode (auto)
l
MAC authentication (disabled)
In addition, you cannot perform the above-mentioned
configurations manually because these configurations change with the port
security mode automatically.
l
For details about 802.1x configuration, refer to
the sections covering 802.1x and System-Guard.
l
For details about MAC authentication
configuration, refer to the sections covering MAC authentication configuration.
l
The port security feature does not support the
quick EAD deployment feature in 802.1x.
l
The port security feature does not support the
guest VLAN feature in MAC authentication.
Port security allows more than one user to be
authenticated on a port. The number of authenticated users allowed, however,
cannot exceed the configured upper limit.
By setting the maximum number of MAC
addresses allowed on a port, you can
l
Control the maximum number of users who are
allowed to access the network through the port
l
Control the number of Security MAC addresses
that can be added with port security
This configuration is different from that
of the maximum number of MAC addresses that can be leaned by a port in MAC
address management.
Follow these steps to set the maximum
number of MAC addresses allowed on a port:
|
To do...
|
Use the command...
|
Remarks
|
|
Enter system view
|
system-view
|
—
|
|
Enter Ethernet port view
|
interface interface-type
interface-number
|
—
|
|
Set the maximum number of MAC addresses
allowed on the port
|
port-security max-mac-count count-value
|
Required
Not limited by default
|
Follow these steps to set the port security
mode:
|
To do...
|
Use the command...
|
Remarks
|
|
Enter system view
|
system-view
|
—
|
|
Set the OUI value for user authentication
|
port-security oui OUI-value index index-value
|
Optional
In userLoginWithOUI mode, a port
supports one 802.1x user plus one user whose source MAC address has a
specified OUI value.
|
|
Enter Ethernet port view
|
interface interface-type
interface-number
|
—
|
|
Set the port security mode
|
port-security port-mode { autolearn | mac-and-userlogin-secure | mac-and-userlogin-secure-ext
| mac-authentication | mac-else-userlogin-secure | mac-else-userlogin-secure-ext
| secure | userlogin | userlogin-secure | userlogin-secure-ext
| userlogin-secure-or-mac | userlogin-secure-or-mac-ext |
userlogin-withoui }
|
Required
By default, a port operates in noRestriction
mode. In this mode, access to the port is not restricted.
You can set a port security mode as
needed.
|
l
Before setting the port security mode to autolearn,
you need to set the maximum number of MAC addresses allowed on the port with
the port-security max-mac-count command.
l
When the port operates in the autoLearn
mode, you cannot change the maximum number of MAC addresses allowed on the
port.
l
After you set the port security mode to autolearn,
you cannot configure any static or blackhole MAC addresses on the port.
l
If the port is in a security mode other than noRestriction,
before you can change the port security mode, you need to restore the port
security mode to noRestriction with the undo port-security port-mode command.
l
The port security mode of autolearn is
not supported on fabric devices.
If the port-security port-mode mode
command has been executed on a port, none of the following can be
configured on the same port:
l
Maximum number of MAC addresses that the port
can learn
l
Reflector port for port mirroring
l
Fabric port
l
Link aggregation
Follow these steps to configure the NTK feature:
|
To do...
|
Use the command...
|
Remarks
|
|
Enter system view
|
system-view
|
—
|
|
Enter Ethernet port view
|
interface interface-type
interface-number
|
—
|
|
Configure the NTK feature
|
port-security ntk-mode { ntkonly | ntk-withbroadcasts |
ntk-withmulticasts }
|
Required
By default, NTK is disabled on a port, namely
all frames are allowed to be sent.
|
Follow these
steps to configure the intrusion protection feature:
|
To do...
|
Use the command...
|
Remarks
|
|
Enter
system view
|
system-view
|
—
|
|
Enter Ethernet port view
|
interface interface-type
interface-number
|
—
|
|
Set the corresponding action to be taken
by the switch when intrusion protection is triggered
|
port-security intrusion-mode { blockmac | disableport |
disableport-temporarily }
|
Required
By default, intrusion protection is
disabled.
|
|
Return to system view
|
quit
|
—
|
|
Set the timer during which the port
remains disabled
|
port-security timer disableport timer
|
Optional
20 seconds by default
|
The port-security
timer disableport command is used in conjunction with the port-security
intrusion-mode disableport-temporarily command to set the length of
time during which the port remains disabled.
Caution:
If you configure
the NTK feature and execute the port-security
intrusion-mode blockmac command on the same port,
the switch will be unable to disable the packets whose destination MAC address
is illegal from being sent out that port; that is, the NTK feature configured will
not take effect on the packets whose destination MAC address is illegal.
Follow these
steps to configure port security trapping:
|
To do...
|
Use the command...
|
Remarks
|
|
Enter
system view
|
system-view
|
—
|
|
Enable sending
traps for the specified type of event
|
port-security
trap { addresslearned | dot1xlogfailure
| dot1xlogoff | dot1xlogon | intrusion | ralmlogfailure
| ralmlogoff | ralmlogon }
|
Required
By
default, no trap is sent.
|
After an
802.1x user or MAC-authenticated user passes Remote Authentication Dial-In User
Service (RADIUS) authentication, the RADIUS server delivers the authorization
information to the device. You can configure a port to ignore the authorization
information from the RADIUS server.
Follow these steps to configure a port to
ignore the authorization information from the RADIUS server:
|
To do...
|
Use the command...
|
Remarks
|
|
Enter system view
|
system-view
|
—
|
|
Enter Ethernet port view
|
interface interface-type
interface-number
|
—
|
|
Ignore the authorization information from
the RADIUS server
|
port-security authorization ignore
|
Required
By default, a port uses the authorization
information from the RADIUS server.
|
Security MAC addresses are special MAC
addresses that never age out. One security MAC address can be added to only one
port in the same VLAN so that you can bind a MAC address to one port in the
same VLAN.
Security MAC addresses can be learned by
the auto-learn function of port security or manually configured.
Before adding security MAC addresses to a
port, you must configure the port security mode to autolearn. After this
configuration, the port changes its way of learning MAC addresses as follows.
l
The port deletes original dynamic MAC addresses;
l
If the amount of security MAC addresses has not yet
reach the maximum number, the port will learn new MAC addresses and turn them to
security MAC addresses;
l
If the amount of security MAC addresses reaches the
maximum number, the port will not be able to learn new MAC addresses and the
port mode will be changed from autolearn to secure.
The security MAC
addresses manually configured are written to the
configuration file; they will not get lost when the port is up or down.
As long as the configuration file is saved, the security MAC addresses can be
restored after the switch
reboots.
I. Configuration prerequisites
l
Port security is enabled.
l
The maximum number of security MAC addresses
allowed on the port is set.
l
The security mode of the port is set to autolearn.
II. Configuring a security MAC
address
Follow these steps to configure a security
MAC address:
|
To do...
|
Use the command...
|
Remarks
|
|
Enter system view
|
system-view
|
—
|
|
Add a security MAC address
|
In system view
|
mac-address security mac-address interface interface-type interface-number vlan vlan-id
|
Either is required.
By default, no security MAC address is
configured.
|
|
In Ethernet port view
|
interface interface-type
interface-number
|
|
mac-address security mac-address vlan vlan-id
|
1.3 Displaying and Maintaining Port Security Configuration
|
To do...
|
Use the command...
|
Remarks
|
|
Display information about port security
configuration
|
display port-security [ interface interface-list ]
|
Available in any view
|
|
Display information about security MAC
address configuration
|
display mac-address security [ interface interface-type interface-number ]
[ vlan vlan-id ] [ count ]
|
I. Network requirements
Implement access user restrictions through the
following configuration on GigabitEthernet 1/0/1 of the switch.
l
Allow a maximum of 80 users to access the port
without authentication and permit the port to learn and add the MAC addresses
of the users as security MAC addresses.
l
To ensure that Host can access the network, add
the MAC address 0001-0002-0003 of Host as a security MAC address to the port in
VLAN 1.
l
After the number of security MAC addresses
reaches 80, the port stops learning MAC addresses. If any frame with an unknown
MAC address arrives, intrusion protection is triggered and the port will be
disabled and stay silent for 30 seconds.
II. Network diagram
Figure 1-1
Network diagram for port security configuration
III. Configuration procedure
# Enter system view.
<Switch> system-view
# Enable port security.
[Switch] port-security enable
# Enter GigabitEthernet1/0/1 port view.
[Switch] interface GigabitEthernet 1/0/1
# Set the maximum number of MAC addresses allowed
on the port to 80.
[Switch-GigabitEthernet1/0/1]
port-security max-mac-count 80
# Set the port security mode to autolearn.
[Switch-GigabitEthernet1/0/1]
port-security port-mode autolearn
# Add the MAC address 0001-0002-0003 of Host
as a security MAC address to the port in VLAN 1.
[Switch-GigabitEthernet1/0/1]
mac-address security 0001-0002-0003 vlan 1
# Configure the port to be silent for 30
seconds after intrusion protection is triggered.
[Switch-GigabitEthernet1/0/1]
port-security intrusion-mode disableport-temporarily
[Switch-GigabitEthernet1/0/1] quit
[Switch] port-security timer
disableport 30
