- Table of Contents
-
- H3C S3600 Series Ethernet Switches Operation Manual-Release 1510(V1.04)
- 00-1Cover
- 00-2Product Overview
- 01-CLI Operation
- 02-Login Operation
- 03-Configuration File Management Operation
- 04-VLAN Operation
- 05-IP Address and Performance Configuration Operation
- 06-Management VLAN Operation
- 07-Voice VLAN Operation
- 08-GVRP Operation
- 09-Port Basic Configuration Operation
- 10-Link Aggregation Operation
- 11-Port Isolation Operation
- 12-Port Security-Port Binding Operation
- 13-DLDP Operation
- 14-MAC Address Table Operation
- 15-Auto Detect Operation
- 16-MSTP Operation
- 17-Routing Protocol Operation
- 18-Multicast Operation
- 19-802.1x Operation
- 20-AAA-RADIUS-HWTACACS-EAD Operation
- 21-VRRP Operation
- 22-Centralized MAC Address Authentication Operation
- 23-ARP Operation
- 24-DHCP Operation
- 25-ACL Operation
- 26-QoS-QoS Profile Operation
- 27-Web Cache Redirection Operation
- 28-Mirroring Operation
- 29-IRF Fabric Operation
- 30-Cluster Operation
- 31-PoE-PoE Profile Operation
- 32-UDP Helper Operation
- 33-SNMP-RMON Operation
- 34-NTP Operation
- 35-SSH Terminal Service Operation
- 36-File System Management Operation
- 37-FTP and TFTP Operation
- 38-Information Center Operation
- 39-System Maintenance and Debugging Operation
- 40-VLAN-VPN Operation
- 41-HWPing Operation
- 42-DNS Operation
- 43-Access Management Operation
- 44-Appendix
- Related Documents
-
Title | Size | Download |
---|---|---|
12-Port Security-Port Binding Operation | 628 KB |
Table of Contents
Chapter 1 Port Security Configuration
1.2 Port Security Configuration
1.2.1 Configuring Port Security
1.2.2 Configuring Security MAC Addresses
1.3 Displaying Port Security Configuration
1.4 Port Security Configuration Example
Chapter 2 Port Binding Configuration
2.1.2 Configuring Port Binding
2.2 Displaying Port Binding Configuration
2.3 Port Binding Configuration Example
Chapter 1 Port Security Configuration
1.1 Port Security Overview
1.1.1 Introduction
Port security is a security mechanism for network access control. It is an expansion to the current 802.1x and MAC address authentication.
Port security defines various security modes that allow devices to learn legal source MAC addresses, in order for you to implement different network security management as needed. With port security, packets whose source MAC addresses cannot be learned by your switch in a security mode are considered illegal packets, and 802.1x authentication failure events are considered illegal events.
Upon detecting an illegal packet or illegal event, the system triggers the corresponding port security features and takes pre-defined actions automatically. This reduces your maintenance workload and greatly enhances system security and manageability.
1.1.2 Port Security Features
The following port security features are provided:
1) NTK (need to know): By checking the destination MAC addresses in outbound data frames on a port, NTK ensures that only successfully authenticated devices can obtain data frames from the port, thus preventing illegal devices from intercepting network data.
2) Intrusion protection: By checking the source MAC addresses in inbound data frames or the username and password in 802.1x authentication requests on a port, intrusion protection detects illegal packets (packets with illegal MAC address) or events and takes a pre-set action accordingly. The actions you can set include: disconnecting the port temporarily/permanently, and blocking packets with invalid MAC addresses.
3) Device tracking: When special data packets (generated from illegal intrusion, abnormal login/logout or other special activities) are passing through a switch port, device tracking enables the switch to send Trap messages to help the network administrator monitor special activities.
1.1.3 Port Security Modes
Table 1-1 describes the available port security modes:
Table 1-1 Description of port security modes
Security mode |
Description |
Feature |
autolearn |
In this mode, the port automatically learns MAC addresses and changes them to security MAC addresses. This security mode will automatically change to the secure mode after the amount of security MAC addresses on the port reaches the maximum number configured with the port-security max-mac-count command. After changing to the secure mode, only those packets whose source MAC addresses are security MAC addresses learned or dynamic MAC addresses configured can pass through the port. |
In either mode, the device will trigger NTK and intrusion protection upon detecting an illegal packet. |
secure |
In this mode, the port is disabled from learning MAC addresses. Only those packets whose source MAC addresses are security MAC addresses learned, static MAC addresses or dynamic MAC addresses configured can pass through the port. |
|
userlogin |
In this mode, port-based 802.1x authentication is performed for access users. |
In this mode, neither NTK nor intrusion protection will be triggered. |
userlogin-secure |
The port is enabled only after an access user passes the 802.1x authentication. When the port is enabled, only the packets of the successfully authenticated user can pass through the port. In this mode, only one 802.1x-authenticated user is allowed to access the port. When the port changes from the normal mode to this security mode, the system automatically removes the existing dynamic MAC address entries and authenticated MAC address entries on the port. |
In any of these modes, the device will trigger NTK and intrusion protection upon detecting an illegal packet. |
userlogin-withoui |
This mode is similar to the userlogin-secure mode, except that, besides the packets of the single 802.1x-authenticated user, the packets whose source MAC addresses have a particular OUI are also allowed to pass through the port. When the port changes from the normal mode to this security mode, the system automatically removes the existing dynamic/authenticated MAC address entries on the port. |
|
mac-authentication |
In this mode, MAC address–based authentication is performed for access users. |
|
userlogin-secure-or-mac |
In this mode, if either of the mac-authentication and userlogin-secure modes succeeds, the user passes the authentication. |
|
mac-else-userlogin-secure |
In this mode, first the MAC-based authentication is performed. If this authentication succeeds, the mac-authentication mode is adopted, or else, the authentication in userlogin-secure mode is performed. |
|
userlogin-secure-ext |
This mode is similar to the userlogin-secure mode, except that there can be more than one 802.1x-authenticated user on the port. |
|
userlogin-secure-or-mac-ext |
This mode is similar to the userlogin-secure-or-mac mode, except that there can be more than one 802.1x-authenticated user on the port. |
|
mac-else-userlogin-secure-ext |
This mode is similar to the mac-else-userlogin-secure mode, except that there can be more than one 802.1x-authenticated user on the port. |
1.2 Port Security Configuration
1.2.1 Configuring Port Security
Table 1-2 Configure port security
Operation |
Command |
Description |
Enter system view |
system-view |
— |
Enable port security |
port-security enable |
Required |
Set OUI value for user authentication |
port-security oui OUI-value index index-value |
Optional |
Enable the sending of specific types of trap messages |
port-security trap { addresslearned | intrusion | dot1xlogon | dot1xlogoff | dot1xlogfailure | ralmlogon | ralmlogoff | ralmlogfailure }* |
Optional By default, the sending of trap messages is disabled. |
Enter Ethernet port view |
interface interface-type interface-number |
— |
Set the security mode of the port |
port-security port-mode mode |
Required You can choose a mode as required. |
Set the maximum number of MAC addresses allowed on the port |
port-security max-mac-count count-value |
Optional By default, there is no limit on the number of MAC addresses. |
Set the NTK transmission mode |
port-security ntk-mode { ntkonly | ntk-withbroadcasts | ntk-withmulticasts } |
Required By default, no packet transmission mode of the NTK feature is set on the port. |
Set the action to be taken after intrusion protection is triggered. |
port-security intrusion-mode { disableport | disableport-temporarily | blockmac } |
Required By default, no specific intrusion detection mode is configured. |
Configure the port to ignore the authorization information delivered from the RADIUS server |
port-security authorization ignore |
Optional By default, the authorization information delivered by the server is applied to the port. |
Return to system view |
quit |
— |
Set the time during which a port is temporarily disabled |
port-security timer disableport timer |
Optional By default, it is 20 seconds. |
& Note:
After the port-security intrusion-mode disableport-temporarily command is executed on a port, the time set by the port-security timer disableport timer command determines how long the port can be temporarily disabled.
To avoid confliction, the following restrictions on the 802.1x authentication and MAC address authentication will be taken after port security is enabled:
1) The access control mode (set by the dot1x port-control command) automatically changes to auto.
2) The dot1x, dot1x port-method, dot1x port-control, and mac-authentication commands cannot be used.
& Note:
l For details about 802.1x authentication, refer to the 802.1x part of S3600 S3600 Series Ethernet Switches Operation Manual.
l You cannot add a port configured with port security to a link aggregation group.
l You cannot configure the port-security port-mode mode command on a port if the port is in a link aggregation group.
1.2.2 Configuring Security MAC Addresses
Security MAC addresses are special type of MAC addresses. They are similar to static MAC addresses. One security MAC address can only be added to one port in the same VLAN. So you can bind a MAC address to one port in the same VLAN.
Security MAC addresses can be learned by the auto-learn function of port security. In addition, you can manually configure them through CLI or MIB.
Before adding security MAC addresses to a port, you must configure the port security mode to autolearn. After this configuration, the port changes its way to learn MAC addresses.
l The port deletes original dynamic MAC addresses;
l If the amount of security MAC addresses has not yet reach the maximum number, the port will learn new MAC addresses and turn them to security MAC addresses;
l If the amount of security MAC addresses reaches the maximum number, the port will not be able to learn new MAC addresses and the port mode will be changed from autolearn to secure.
& Note:
The security MAC addresses manually configured are written to the configuration file; they will not get lost when the port is up or down. As long as the configuration file is saved, the security MAC addresses can be restored after the switch reboots.
Table 1-3 Configure a security MAC address
Operation |
Command |
Description |
Enter system view |
system-view |
— |
Enable port security |
port-security enable |
Required |
Enter Ethernet port view |
interface interface-type interface-number |
— |
Set the maximum number of security MAC addresses allowed on the port |
port-security max-mac-count count-value |
Required By default, there is no limit on the maximum number of security MAC addresses. |
Set the port security mode to autolearn |
port-security port-mode autolearn |
Required |
Add a security MAC address |
mac-address security mac-address [ interface interface-type interface-number ] vlan vlan-id |
Required You can execute this command in system view as well as Ethernet port view. When using this command in system view, you should specify interface interface-type interface-number. |
Note that:
1) If the port-security port-mode autolearn command is configured on a port, you should not configure the following on the same port:
l Static and black-hole MAC addresses
l Voice VLAN feature
l 802.1x feature
l Link aggregation
l Configurate Mirror Reflector port
2) The port-security max-mac-count count-value command cannot be configured together with the mac-address max-mac-count count command.
1.3 Displaying Port Security Configuration
After the above configuration, you can use the display command in any view to display port security information and verify your configuration.
Table 1-4 Display port security configuration
Operation |
Command |
Description |
Display information about port security configuration |
display port-security [ interface interface-list ] |
You can execute the display command in any view. |
Display information about security MAC address configuration |
display mac-address security [ interface interface-type interface-number ] [ vlan vlan-id ] [ count ] |
1.4 Port Security Configuration Example
I. Network requirements
l Enable port security on port Ethernet1/0/1 of switch A.
l Set the maximum number of the MAC addresses allowed on the port to 80.
l Set the port security mode to autolearn.
l Add the MAC address 0001-0002-0003 of PC1 as a security MAC address to VLAN 1.
II. Network diagram
Figure 1-1 Network diagram for port security configuration
III. Configuration procedure
Configure switch A as follows:
# Enter system view.
<S3600> system-view
# Enable port security.
[S3600] port-security enable
# Enter Ethernet1/0/1 port view.
[S3600] interface Ethernet1/0/1
# Set the maximum number of MAC addresses allowed on the port to 80.
[S3600-Ethernet1/0/1] port-security max-mac-count 80
# Set the port security mode to autolearn.
[S3600-Ethernet1/0/1] port-security port-mode autolearn
# Add the MAC address 0001-0002-0003 of PC1 as a security MAC address to VLAN 1.
[S3600-Ethernet1/0/1] mac-address security 0001-0002-0003 vlan 1
Chapter 2 Port Binding Configuration
2.1 Port Binding Overview
2.1.1 Introduction
Port binding enables the network administrator to bind the MAC and IP addresses of a legal user to a specific port. After the binding, only the user whose device MAC address is identical with the bound MAC address can use the bound IP address to access the network through the port. This improves network security and enhances security monitoring.
2.1.2 Configuring Port Binding
Table 2-1 Configure port binding
Operation |
Command |
Description |
Enter system view |
system-view |
— |
Bind the MAC address and IP address of a legal user to a specific port |
am user-bind mac-addr mac-address ip-addr ip-address interface interface-type interface-number |
Optional |
Enter Ethernet port view |
interface interface-type interface-number |
— |
Bind the MAC address and IP address of a legal user to the current port |
am user-bind mac-addr mac-address ip-addr ip-address |
Optional |
& Note:
An IP address can be bound with only one MAC address, and vice versa.
2.2 Displaying Port Binding Configuration
After the above configuration, you can use the display command in any view to display port binding information and verify your configuration.
Table 2-2 Display port binding configuration
Operation |
Command |
Description |
Display port binding information |
display am user-bind [ interface interface-type interface-number | mac-addr mac-addr | ip-addr ip-addr] |
You can execute the display command in any view. |
2.3 Port Binding Configuration Example
I. Network requirements
It is required to bind the MAC and IP addresses of PC1 to Ethernet1/0/1 on switch A, so as to prevent malicious users from using the IP address they steal from PC1 to access the network.
II. Network diagram
Figure 2-1 Network diagram for port binding configuration
III. Configuration procedure
Configure switch A as follows:
# Enter system view.
<S3600> system-view
# Enter Ethernet1/0/1 port view.
[S3600] interface Ethernet1/0/1
# Bind the MAC address and the IP address of PC1 to Ethernet1/0/1.
[S3600-Ethernet1/0/1] am user-bind mac-addr 0001-0002-0003 ip-addr 10.12.1.1