H3C S3100 Series Ethernet Switches Operation Manual (For Soliton)(V1.02)

HomeSupportSwitchesH3C S3100 Switch SeriesConfigure & DeployConfiguration GuidesH3C S3100 Series Ethernet Switches Operation Manual (For Soliton)(V1.02)
12-Port Security-Port Binding Operation
Title Size Download
12-Port Security-Port Binding Operation 110.05 KB

Chapter 1  Port Security Configuration

When configuring port security, go to these sections for information you are interested in:

l           Port Security Overview

l           Port Security Configuration Task List

l           Displaying and Maintaining Port Security Configuration

l           Port Security Configuration Example

1.1  Port Security Overview

1.1.1  Introduction

Port security is a security mechanism for network access control. It is an expansion to the current 802.1x and MAC address authentication.

Port security allows you to define various security modes that enable devices to learn legal source MAC addresses, so that you can implement different network security management as needed.

With port security enabled, packets whose source MAC addresses cannot be learned by your switch in a security mode are considered illegal packets, The events that cannot pass 802.1x authentication or MAC authentication are considered illegal.

With port security enabled, upon detecting an illegal packet or illegal event, the system triggers the corresponding port security features and takes pre-defined actions automatically. This reduces your maintenance workload and greatly enhances system security and manageability.

1.1.2  Port Security Features

The following port security features are provided:

l           NTK (need to know) feature: By checking the destination MAC addresses in outbound data frames on the port, NTK ensures that the switch sends data frames through the port only to successfully authenticated devices, thus preventing illegal devices from intercepting network data.

l           Intrusion protection feature: By checking the source MAC addresses in inbound data frames or the username and password in 802.1x authentication requests on the port, intrusion protection detects illegal packets or events and takes a pre-set action accordingly. The actions you can set include: disconnecting the port temporarily/permanently, and blocking packets with the MAC address specified as illegal.

l           Trap feature: When special data packets (generated from illegal intrusion, abnormal login/logout or other special activities) are passing through the switch port, Trap feature enables the switch to send Trap messages to help the network administrator monitor special activities.

1.1.3  Port Security Modes

Table 1-1 describes the available port security modes:

Table 1-1 Description of port security modes

Security mode

Description

Feature

noRestriction

In this mode, access to the port is not restricted.

In this mode, neither the NTK nor the intrusion protection feature is triggered.

autolearn

In this mode, the port automatically learns MAC addresses and changes them to security MAC addresses.

This security mode will automatically change to the secure mode after the amount of security MAC addresses on the port reaches the maximum number configured with the port-security max-mac-count command.

After the port security mode is changed to the secure mode, only those packets whose source MAC addresses are security MAC addresses learned can pass through the port.

In either mode, the device will trigger NTK and intrusion protection upon detecting an illegal packet.

secure

In this mode, the port is disabled from learning MAC addresses.

Only those packets whose source MAC addresses are security MAC addresses learned and static MAC addresses can pass through the port.

userlogin

In this mode, port-based 802.1x authentication is performed for access users.

In this mode, neither NTK nor intrusion protection will be triggered.

userLoginSecure

MAC-based 802.1x authentication is performed on the access user. The port is enabled only after the authentication succeeds. When the port is enabled, only the packets of the successfully authenticated user can pass through the port.

In this mode, only one 802.1x-authenticated user is allowed to access the port.

When the port changes from the noRestriction mode to this security mode, the system automatically removes the existing dynamic MAC address entries and authenticated MAC address entries on the port.

In any of these modes, the device triggers the NTK and Intrusion Protection features upon detecting an illegal packet or illegal event.

userLoginSecureExt

This mode is similar to the userLoginSecure mode, except that there can be more than one 802.1x-authenticated user on the port.

userLoginWithOUI

This mode is similar to the userLoginSecure mode, except that, besides the packets of the single 802.1x-authenticated user, the packets whose source MAC addresses have a particular OUI are also allowed to pass through the port.

When the port changes from the normal mode to this security mode, the system automatically removes the existing dynamic/authenticated MAC address entries on the port.

macAddressWithRadius

In this mode, MAC address–based authentication is performed for access users.

macAddressOrUserLoginSecure

In this mode, both MAC authentication and 802.1x authentication can be performed, but 802.1x authentication has a higher priority.

802.1x authentication can still be performed on an access user who has passed MAC authentication.

No MAC authentication is performed on an access user who has passed 802.1x authentication.

In this mode, there can be only one 802.1x-authenticated user on the port, but there can be several MAC-authenticated users.

macAddressOrUserLoginSecureExt

This mode is similar to the macAddressOrUserLoginSecure mode, except that there can be more than one 802.1x-authenticated user on the port. .

macAddressElseUserLoginSecure

In this mode, a port performs MAC authentication or 802.1x authentication of an access user. If either authentication succeeds, the user is authenticated.

In this mode, there can be only one 802.1x-authenticated user on the port, but there can be several MAC-authenticated users.

macAddressElseUserLoginSecureExt

This mode is similar to the macAddressElseUserLoginSecure mode, except that there can be more than one 802.1x-authenticated user on the port.

macAddressAndUserLoginSecure

In this mode, a port firstly performs MAC authentication for a user and then performs 802.1x authentication for the user if the user passes MAC authentication. The user can access the network after passing the two authentications.

In this mode, up to one user can access the network.

macAddressAndUserLoginSecureExt

This mode is similar to the macAddressAndUserLoginSecure mode, except that more than one user can access the network.

 

&  Note:

l      When the port operates in the userlogin-withoui mode, Intrusion Protection will not be triggered even if the OUI address does not match.

l      In the macAddressElseUserLoginSecure or macAddressElseUserLoginSecureExt security mode, the MAC address of a user failing MAC authentication is set as a quiet MAC address. If the user initiates 802.1x authentication during the quiet period, the switch does not authenticate the user.

l      A port with port security configured permits all ordinary Layer 2 packets to be forwarded whose source MAC addresses are dynamic ones configured on the port.

 

1.2  Port Security Configuration Task List

Complete the following tasks to configure port security:

Task

Remarks

Enabling Port Security

Required

Setting the Maximum Number of MAC Addresses Allowed on a Port

Optional

Setting the Port Security Mode

Required

Configuring Port Security Features

Configuring the NTK feature

Optional

Choose one or more features as required.

Configuring intrusion protection

Configuring the Trap feature

Ignoring the Authorization Information from the RADIUS Server

Optional

Configuring Security MAC Addresses

Optional

 

1.2.1  Enabling Port Security

I. Configuration Prerequisites

Before enabling port security, you need to disable 802.1x and MAC authentication globally.

II. Enabling Port Security

Follow these steps to enable port security:

To do...

Use the command...

Remarks

Enter system view

system-view

Enable port security

port-security enable

Required

Disabled by default

 

  Caution:

Enabling port security resets the following configurations on the ports to the defaults (shown in parentheses below):

l      802.1x (disabled), port access control method (macbased), and port access control mode (auto)

l      MAC authentication (disabled)

In addition, you cannot perform the above-mentioned configurations manually because these configurations change with the port security mode automatically.

 

&  Note:

l      For details about 802.1x configuration, refer to the sections covering 802.1x and System-Guard.

l      For details about MAC authentication configuration, refer to the sections covering MAC authentication configuration.

 

1.2.2  Setting the Maximum Number of MAC Addresses Allowed on a Port

Port security allows more than one user to be authenticated on a port. The number of authenticated users allowed, however, cannot exceed the configured upper limit.

By setting the maximum number of MAC addresses allowed on a port, you can

l           Control the maximum number of users who are allowed to access the network through the port

l           Control the number of Security MAC addresses that can be added with port security

This configuration is different from that of the maximum number of MAC addresses that can be leaned by a port in MAC address management.

Follow these steps to set the maximum number of MAC addresses allowed on a port:

To do...

Use the command...

Remarks

Enter system view

system-view

Enter Ethernet port view

interface interface-type interface-number

Set the maximum number of MAC addresses allowed on the port

port-security max-mac-count count-value

Required

Not limited by default

 

1.2.3  Setting the Port Security Mode

Follow these steps to set the port security mode:

To do...

Use the command...

Remarks

Enter system view

system-view

Set the OUI value for user authentication

port-security oui OUI-value index index-value

Optional

In userLoginWithOUI mode, a port supports one 802.1x user plus one user whose source MAC address has a specified OUI value.

Enter Ethernet port view

interface interface-type interface-number

Set the port security mode

port-security port-mode { autolearn | mac-and-userlogin-secure | mac-and-userlogin-secure-ext | mac-authentication | mac-else-userlogin-secure | mac-else-userlogin-secure-ext | secure | userlogin | userlogin-secure | userlogin-secure-ext | userlogin-secure-or-mac | userlogin-secure-or-mac-ext | userlogin-withoui }

Required

By default, a port operates in noRestriction mode. In this mode, access to the port is not restricted.

You can set a port security mode as needed.

 

&  Note:

l      Before setting the port security mode to autolearn, you need to set the maximum number of MAC addresses allowed on the port with the port-security max-mac-count command.

l      When the port operates in the autoLearn mode, you cannot change the maximum number of MAC addresses allowed on the port.

l      After you set the port security mode to autolearn, you cannot configure any static or blackhole MAC addresses on the port.

l      If the port is in a security mode other than noRestriction, before you can change the port security mode, you need to restore the port security mode to noRestriction with the undo port-security port-mode command.

 

If the port-security port-mode mode command has been executed on a port, none of the following can be configured on the same port:

l           Maximum number of MAC addresses that the port can learn

l           Reflector port for port mirroring

l           Link aggregation

1.2.4  Configuring Port Security Features

I. Configuring the NTK feature

Follow these steps to configure the NTK feature:

To do...

Use the command...

Remarks

Enter system view

system-view

Enter Ethernet port view

interface interface-type interface-number

Configure the NTK feature

port-security ntk-mode { ntkonly | ntk-withbroadcasts | ntk-withmulticasts }

Required

By default, NTK is disabled on a port, namely all frames are allowed to be sent.

 

II. Configuring intrusion protection

Follow these steps to configure the intrusion protection feature:

To do...

Use the command...

Remarks

Enter system view

system-view

Enter Ethernet port view

interface interface-type interface-number

Set the corresponding action to be taken by the switch when intrusion protection is triggered

port-security intrusion-mode { blockmac | disableport | disableport-temporarily }

Required

By default, intrusion protection is disabled.

Return to system view

quit

Set the timer during which the port remains disabled

port-security timer disableport timer

Optional

20 seconds by default

 

&  Note:

The port-security timer disableport command is used in conjunction with the port-security intrusion-mode disableport-temporarily command to set the length of time during which the port remains disabled.

 

  Caution:

If you configure the NTK feature and execute the port-security intrusion-mode blockmac command on the same port, the switch will be unable to disable the packets whose destination MAC address is illegal from being sent out that port; that is, the NTK feature configured will not take effect on the packets whose destination MAC address is illegal.

 

III. Configuring the Trap feature

Follow these steps to configure port security trapping:

To do...

Use the command...

Remarks

Enter system view

system-view

Enable sending traps for the specified type of event

port-security trap { addresslearned | dot1xlogfailure | dot1xlogoff | dot1xlogon | intrusion | ralmlogfailure | ralmlogoff | ralmlogon }

Required

By default, no trap is sent.

 

1.2.5  Ignoring the Authorization Information from the RADIUS Server

After an 802.1x user or MAC-authenticated user passes Remote Authentication Dial-In User Service (RADIUS) authentication, the RADIUS server delivers the authorization information to the device. You can configure a port to ignore the authorization information from the RADIUS server.

Follow these steps to configure a port to ignore the authorization information from the RADIUS server:

To do...

Use the command...

Remarks

Enter system view

system-view

Enter Ethernet port view

interface interface-type interface-number

Ignore the authorization information from the RADIUS server

port-security authorization ignore

Required

By default, a port uses the authorization information from the RADIUS server.

 

1.2.6  Configuring Security MAC Addresses

Security MAC addresses are special MAC addresses that never age out. One security MAC address can be added to only one port in the same VLAN so that you can bind a MAC address to one port in the same VLAN.

Security MAC addresses can be learned by the auto-learn function of port security or manually configured.

Before adding security MAC addresses to a port, you must configure the port security mode to autolearn. After this configuration, the port changes its way of learning MAC addresses as follows.

l           The port deletes original dynamic MAC addresses;

l           If the amount of security MAC addresses has not yet reach the maximum number, the port will learn new MAC addresses and turn them to security MAC addresses;

l           If the amount of security MAC addresses reaches the maximum number, the port will not be able to learn new MAC addresses and the port mode will be changed from autolearn to secure.

 

&  Note:

The security MAC addresses manually configured are written to the configuration file; they will not get lost when the port is up or down. As long as the configuration file is saved, the security MAC addresses can be restored after the switch reboots.

 

I. Configuration prerequisites

l           Port security is enabled.

l           The maximum number of security MAC addresses allowed on the port is set.

l           The security mode of the port is set to autolearn.

II. Configuring a security MAC address

Follow these steps to configure a security MAC address:

To do...

Use the command...

Remarks

Enter system view

system-view

Add a security MAC address

In system view

mac-address security mac-address  interface interface-type interface-number vlan vlan-id

Either is required.

By default, no security MAC address is configured.

In Ethernet port view

interface interface-type interface-number

mac-address security mac-address vlan vlan-id

 

1.3  Displaying and Maintaining Port Security Configuration

To do...

Use the command...

Remarks

Display information about port security configuration

display port-security [ interface interface-list ]

Available in any view

Display information about security MAC address configuration

display mac-address security [ interface interface-type interface-number ] [ vlan vlan-id ] [ count ]

 

1.4  Port Security Configuration Example

1.4.1  Port Security Configuration Example

I. Network requirements

Implement access user restrictions through the following configuration on Ethernet 1/0/1 of the switch.

l           Allow a maximum of 80 users to access the port without authentication and permit the port to learn and add the MAC addresses of the users as security MAC addresses.

l           To ensure that Host can access the network, add the MAC address 0001-0002-0003 of Host as a security MAC address to the port in VLAN 1.

l           After the number of security MAC addresses reaches 80, the port stops learning MAC addresses. If any frame with an unknown MAC address arrives, intrusion protection is triggered and the port will be disabled and stay silent for 30 seconds.

II. Network diagram

Figure 1-1 Network diagram for port security configuration

III. Configuration procedure

# Enter system view.

<Switch> system-view

# Enable port security.

[Switch] port-security enable

# Enter Ethernet1/0/1 port view.

[Switch] interface Ethernet 1/0/1

# Set the maximum number of MAC addresses allowed on the port to 80.

[Switch-Ethernet1/0/1] port-security max-mac-count 80

# Set the port security mode to autolearn.

[Switch-Ethernet1/0/1] port-security port-mode autolearn

# Add the MAC address 0001-0002-0003 of Host as a security MAC address to the port in VLAN 1.

[Switch-Ethernet1/0/1] mac-address security 0001-0002-0003 vlan 1

# Configure the port to be silent for 30 seconds after intrusion protection is triggered.

[Switch-Ethernet1/0/1] port-security intrusion-mode disableport-temporarily

[Switch-Ethernet1/0/1] quit

[Switch] port-security timer disableport 30

 


Chapter 2  Port Binding Configuration

When configuring port binding, go to these sections for information you are interested in:

l           Port Binding Overview

l           Displaying and Maintaining Port Binding Configuration

l           Port Binding Configuration Example

2.1  Port Binding Overview

2.1.1  Introduction

Port binding enables the network administrator to bind the MAC address and IP address of a user to a specific port. After the binding, the switch forwards only the packets received on the port whose MAC address and IP address are identical with the bound MAC address and IP address. This improves network security and enhances security monitoring.

2.1.2  Configuring Port Binding

Follow these steps to configure port binding:

To do...

Use the command...

Remarks

Enter system view

system-view

Bind the MAC address and IP address of a user to a specific port

In system view

am user-bind mac-addr mac-address ip-addr ip-address interface interface-type interface-number

Either is required.

By default, no user MAC address or IP address is bound to a port.

In Ethernet port view

interface interface-type interface-number

am user-bind mac-addr mac-address ip-addr ip-address

 

&  Note:

l      An IP address can be bound to only one port at a time.

l      A MAC address can be bound to only one port at a time.

 

2.2  Displaying and Maintaining Port Binding Configuration

To do...

Use the command...

Remarks

Display port binding information

display am user-bind [ interface interface-type interface-number | ip-addr ip-address  | mac-addr mac-address ]

Available in any view

 

2.3  Port Binding Configuration Example

2.3.1  Port Binding Configuration Example

I. Network requirements

It is required to bind the MAC and IP addresses of Host A to Ethernet 1/0/1 on Switch A, so as to prevent malicious users from using the IP address they steal from Host A to access the network.

II. Network diagram

Figure 2-1 Network diagram for port binding configuration

III. Configuration procedure

Configure Switch A as follows:

# Enter system view.

<SwitchA> system-view

# Enter Ethernet 1/0/1 port view.

[SwitchA] interface Ethernet 1/0/1

# Bind the MAC address and the IP address of Host A to Ethernet 1/0/1.

[SwitchA-Ethernet1/0/1] am user-bind mac-addr 0001-0002-0003 ip-addr 10.12.1.1

 

  • Cloud & AI
  • InterConnect
  • Intelligent Computing
  • Security
  • SMB Products
  • Intelligent Terminal Products
  • Product Support Services
  • Technical Service Solutions
All Services
  • Resource Center
  • Policy
  • Online Help
All Support
  • Become a Partner
  • Partner Resources
  • Partner Business Management
All Partners
  • Profile
  • News & Events
  • Online Exhibition Center
  • Contact Us
All About Us
新华三官网