H3C S3600 Operation Manual-Release 1602(V1.02)

HomeSupportSwitchesH3C S3600 Switch SeriesConfigure & DeployConfiguration GuidesH3C S3600 Operation Manual-Release 1602(V1.02)
11-Port Security-Port Binding Operation
Title Size Download
11-Port Security-Port Binding Operation 143.42 KB

When configuring port security, go to these sections for information you are interested in:

l          Port Security Overview

l          Port Security Configuration Task List

l          Displaying and Maintaining Port Security Configuration

l          Port Security Configuration Example

 

Two port security modes were added: macAddressAndUserLoginSecure and macAddressAndUserLoginSecureExt. For details, refer to Port Security Modes.

 

Port Security Overview

Introduction

Port security is a security mechanism for network access control. It is an expansion to the current 802.1x and MAC address authentication.

Port security allows you to define various security modes that enable devices to learn legal source MAC addresses, so that you can implement different network security management as needed.

With port security enabled, packets whose source MAC addresses cannot be learned by your switch in a security mode are considered illegal packets, The events that cannot pass 802.1x authentication or MAC authentication are considered illegal.

With port security enabled, upon detecting an illegal packet or illegal event, the system triggers the corresponding port security features and takes pre-defined actions automatically. This reduces your maintenance workload and greatly enhances system security and manageability.

Port Security Features

The following port security features are provided:

l          NTK (need to know) feature: By checking the destination MAC addresses in outbound data frames on the port, NTK ensures that the switch sends data frames through the port only to successfully authenticated devices, thus preventing illegal devices from intercepting network data.

l          Intrusion protection feature: By checking the source MAC addresses in inbound data frames or the username and password in 802.1x authentication requests on the port, intrusion protection detects illegal packets or events and takes a pre-set action accordingly. The actions you can set include: disconnecting the port temporarily/permanently, and blocking packets with the MAC address specified as illegal.

l          Trap feature: When special data packets (generated from illegal intrusion, abnormal login/logout or other special activities) are passing through the switch port, Trap feature enables the switch to send Trap messages to help the network administrator monitor special activities.

Port Security Modes

Table 1-1 describes the available port security modes:

Table 1-1 Description of port security modes

Security mode

Description

Feature

noRestriction

In this mode, access to the port is not restricted.

In this mode, neither the NTK nor the intrusion protection feature is triggered.

autolearn

In this mode, the port automatically learns MAC addresses and changes them to security MAC addresses.

This security mode will automatically change to the secure mode after the amount of security MAC addresses on the port reaches the maximum number configured with the port-security max-mac-count command.

After the port security mode is changed to the secure mode, only those packets whose source MAC addresses are security MAC addresses learned or dynamic MAC addresses configured can pass through the port.

In either mode, the device will trigger NTK and intrusion protection upon detecting an illegal packet.

secure

In this mode, the port is disabled from learning MAC addresses.

Only those packets whose source MAC addresses are security MAC addresses learned and static or dynamic MAC addresses can pass through the port.

userlogin

In this mode, port-based 802.1x authentication is performed for access users.

In this mode, neither NTK nor intrusion protection will be triggered.

userLoginSecure

MAC-based 802.1x authentication is performed on the access user. The port is enabled only after the authentication succeeds. When the port is enabled, only the packets of the successfully authenticated user can pass through the port.

In this mode, only one 802.1x-authenticated user is allowed to access the port.

When the port changes from the noRestriction mode to this security mode, the system automatically removes the existing dynamic MAC address entries and authenticated MAC address entries on the port.

In any of these modes, the device triggers the NTK and Intrusion Protection features upon detecting an illegal packet or illegal event.

userLoginSecureExt

This mode is similar to the userLoginSecure mode, except that there can be more than one 802.1x-authenticated user on the port.

userLoginWithOUI

This mode is similar to the userLoginSecure mode, except that, besides the packets of the single 802.1x-authenticated user, the packets whose source MAC addresses have a particular OUI are also allowed to pass through the port.

When the port changes from the normal mode to this security mode, the system automatically removes the existing dynamic/authenticated MAC address entries on the port.

macAddressWithRadius

In this mode, MAC address–based authentication is performed for access users.

macAddressOrUserLoginSecure

In this mode, both MAC authentication and 802.1x authentication can be performed, but 802.1x authentication has a higher priority.

802.1x authentication can still be performed on an access user who has passed MAC authentication.

No MAC authentication is performed on an access user who has passed 802.1x authentication.

In this mode, there can be only one 802.1x-authenticated user on the port, but there can be several MAC-authenticated users.

macAddressOrUserLoginSecureExt

This mode is similar to the macAddressOrUserLoginSecure mode, except that there can be more than one 802.1x-authenticated user on the port. .

macAddressElseUserLoginSecure

In this mode, a port performs MAC authentication of an access user first. If the authentication succeeds, the user is authenticated. Otherwise, the port performs 802.1x authentication of the user.

In this mode, there can be only one 802.1x-authenticated user on the port, but there can be several MAC-authenticated users.

macAddressElseUserLoginSecureExt

This mode is similar to the macAddressElseUserLoginSecure mode, except that there can be more than one 802.1x-authenticated user on the port.

macAddressAndUserLoginSecure

In this mode, a port firstly performs MAC authentication for a user and then performs 802.1x authentication for the user if the user passes MAC authentication. The user can access the network after passing the two authentications.

In this mode, up to one user can access the network.

macAddressAndUserLoginSecureExt

This mode is similar to the macAddressAndUserLoginSecure mode, except that more than one user can access the network.

 

l          When the port operates in the userlogin-withoui mode, Intrusion Protection will not be triggered even if the OUI address does not match.

l          On a port operating in either the macAddressElseUserLoginSecure mode or the macAddressElseUserLoginSecureExt mode, Intrusion Protection is triggered only after both MAC-based authentication and 802.1x authentication on the same packet fail.

 

Port Security Configuration Task List

Complete the following tasks to configure port security:

Task

Remarks

Enabling Port Security

Required

Setting the Maximum Number of MAC Addresses Allowed on a Port

Optional

Setting the Port Security Mode

Required

Configuring Port Security Features

Configuring the NTK feature

Optional

Choose one or more features as required.

Configuring intrusion protection

Configuring the Trap feature

Ignoring the Authorization Information from the RADIUS Server

Optional

Configuring Security MAC Addresses

Optional

 

Enabling Port Security

Configuration Prerequisites

Before enabling port security, you need to disable 802.1x and MAC authentication globally.

Enabling Port Security

Follow these steps to enable port security:

To do...

Use the command...

Remarks

Enter system view

system-view

Enable port security

port-security enable

Required

Disabled by default

 

Enabling port security resets the following configurations on the ports to the defaults (shown in parentheses below):

l          802.1x (disabled), port access control method (macbased), and port access control mode (auto)

l          MAC authentication (disabled)

In addition, you cannot perform the above-mentioned configurations manually because these configurations change with the port security mode automatically.

 

l          For details about 802.1x configuration, refer to the sections covering 802.1x and System-Guard.

l          For details about MAC authentication configuration, refer to the sections covering MAC authentication configuration.

l          The port security feature does not support the quick EAD deployment feature in 802.1x.

l          The port security feature does not support the guest VLAN feature in MAC authentication.

 

Setting the Maximum Number of MAC Addresses Allowed on a Port

Port security allows more than one user to be authenticated on a port. The number of authenticated users allowed, however, cannot exceed the configured upper limit.

By setting the maximum number of MAC addresses allowed on a port, you can

l          Control the maximum number of users who are allowed to access the network through the port

l          Control the number of Security MAC addresses that can be added with port security

This configuration is different from that of the maximum number of MAC addresses that can be leaned by a port in MAC address management.

Follow these steps to set the maximum number of MAC addresses allowed on a port:

To do...

Use the command...

Remarks

Enter system view

system-view

Enter Ethernet port view

interface interface-type interface-number

Set the maximum number of MAC addresses allowed on the port

port-security max-mac-count count-value

Required

Not limited by default

 

Setting the Port Security Mode

Follow these steps to set the port security mode:

To do...

Use the command...

Remarks

Enter system view

system-view

Set the OUI value for user authentication

port-security oui OUI-value index index-value

Optional

In userLoginWithOUI mode, a port supports one 802.1x user plus one user whose source MAC address has a specified OUI value.

Enter Ethernet port view

interface interface-type interface-number

Set the port security mode

port-security port-mode { autolearn | mac-and-userlogin-secure | mac-and-userlogin-secure-ext | mac-authentication | mac-else-userlogin-secure | mac-else-userlogin-secure-ext | secure | userlogin | userlogin-secure | userlogin-secure-ext | userlogin-secure-or-mac | userlogin-secure-or-mac-ext | userlogin-withoui }

Required

By default, a port operates in noRestriction mode. In this mode, access to the port is not restricted.

You can set a port security mode as needed.

 

l          Before setting the port security mode to autolearn, you need to set the maximum number of MAC addresses allowed on the port with the port-security max-mac-count command.

l          When the port operates in the autoLearn mode, you cannot change the maximum number of MAC addresses allowed on the port.

l          After you set the port security mode to autolearn, you cannot configure any static or blackhole MAC addresses on the port.

l          If the port is in a security mode other than noRestriction, before you can change the port security mode, you need to restore the port security mode to noRestriction with the undo port-security port-mode command.

l          The port security mode of autolearn is not supported on fabric devices.

 

If the port-security port-mode mode command has been executed on a port, none of the following can be configured on the same port:

l          Maximum number of MAC addresses that the port can learn

l          Reflector port for port mirroring

l          Fabric port

l          Link aggregation

Configuring Port Security Features

Configuring the NTK feature

Follow these steps to configure the NTK feature:

To do...

Use the command...

Remarks

Enter system view

system-view

Enter Ethernet port view

interface interface-type interface-number

Configure the NTK feature

port-security ntk-mode { ntkonly | ntk-withbroadcasts | ntk-withmulticasts }

Required

By default, NTK is disabled on a port, namely all frames are allowed to be sent.

 

Configuring intrusion protection

Follow these steps to configure the intrusion protection feature:

To do...

Use the command...

Remarks

Enter system view

system-view

Enter Ethernet port view

interface interface-type interface-number

Set the corresponding action to be taken by the switch when intrusion protection is triggered

port-security intrusion-mode { blockmac | disableport | disableport-temporarily }

Required

By default, intrusion protection is disabled.

Return to system view

quit

Set the timer during which the port remains disabled

port-security timer disableport timer

Optional

20 seconds by default

 

The port-security timer disableport command is used in conjunction with the port-security intrusion-mode disableport-temporarily command to set the length of time during which the port remains disabled.

 

If you configure the NTK feature and execute the port-security intrusion-mode blockmac command on the same port, the switch will be unable to disable the packets whose destination MAC address is illegal from being sent out that port; that is, the NTK feature configured will not take effect on the packets whose destination MAC address is illegal.

 

Configuring the Trap feature

Follow these steps to configure port security trapping:

To do...

Use the command...

Remarks

Enter system view

system-view

Enable sending traps for the specified type of event

port-security trap { addresslearned | dot1xlogfailure | dot1xlogoff | dot1xlogon | intrusion | ralmlogfailure | ralmlogoff | ralmlogon }

Required

By default, no trap is sent.

 

Ignoring the Authorization Information from the RADIUS Server

After an 802.1x user or MAC-authenticated user passes Remote Authentication Dial-In User Service (RADIUS) authentication, the RADIUS server delivers the authorization information to the device. You can configure a port to ignore the authorization information from the RADIUS server.

Follow these steps to configure a port to ignore the authorization information from the RADIUS server:

To do...

Use the command...

Remarks

Enter system view

system-view

Enter Ethernet port view

interface interface-type interface-number

Ignore the authorization information from the RADIUS server

port-security authorization ignore

Required

By default, a port uses the authorization information from the RADIUS server.

 

Configuring Security MAC Addresses

Security MAC addresses are special MAC addresses that never age out. One security MAC address can be added to only one port in the same VLAN so that you can bind a MAC address to one port in the same VLAN.

Security MAC addresses can be learned by the auto-learn function of port security or manually configured.

Before adding security MAC addresses to a port, you must configure the port security mode to autolearn. After this configuration, the port changes its way of learning MAC addresses as follows.

l          The port deletes original dynamic MAC addresses;

l          If the amount of security MAC addresses has not yet reach the maximum number, the port will learn new MAC addresses and turn them to security MAC addresses;

l          If the amount of security MAC addresses reaches the maximum number, the port will not be able to learn new MAC addresses and the port mode will be changed from autolearn to secure.

 

The security MAC addresses manually configured are written to the configuration file; they will not get lost when the port is up or down. As long as the configuration file is saved, the security MAC addresses can be restored after the switch reboots.

 

Configuration prerequisites

l          Port security is enabled.

l          The maximum number of security MAC addresses allowed on the port is set.

l          The security mode of the port is set to autolearn.

Configuring a security MAC address

Follow these steps to configure a security MAC address:

To do...

Use the command...

Remarks

Enter system view

system-view

Add a security MAC address

In system view

mac-address security mac-address  interface interface-type interface-number vlan vlan-id

Either is required.

By default, no security MAC address is configured.

In Ethernet port view

interface interface-type interface-number

mac-address security mac-address vlan vlan-id

 

Displaying and Maintaining Port Security Configuration

To do...

Use the command...

Remarks

Display information about port security configuration

display port-security [ interface interface-list ]

Available in any view

Display information about security MAC address configuration

display mac-address security [ interface interface-type interface-number ] [ vlan vlan-id ] [ count ]

 

Port Security Configuration Example

Port Security Configuration Example

Network requirements

Implement access user restrictions through the following configuration on Ethernet 1/0/1 of the switch.

l          Allow a maximum of 80 users to access the port without authentication and permit the port to learn and add the MAC addresses of the users as security MAC addresses.

l          To ensure that Host can access the network, add the MAC address 0001-0002-0003 of Host as a security MAC address to the port in VLAN 1.

l          After the number of security MAC addresses reaches 80, the port stops learning MAC addresses. If any frame with an unknown MAC address arrives, intrusion protection is triggered and the port will be disabled and stay silent for 30 seconds.

Network diagram

Figure 1-1 Network diagram for port security configuration

 

Configuration procedure

# Enter system view.

<Switch> system-view

# Enable port security.

[Switch] port-security enable

# Enter Ethernet1/0/1 port view.

[Switch] interface Ethernet 1/0/1

# Set the maximum number of MAC addresses allowed on the port to 80.

[Switch-Ethernet1/0/1] port-security max-mac-count 80

# Set the port security mode to autolearn.

[Switch-Ethernet1/0/1] port-security port-mode autolearn

# Add the MAC address 0001-0002-0003 of Host as a security MAC address to the port in VLAN 1.

[Switch-Ethernet1/0/1] mac-address security 0001-0002-0003 vlan 1

# Configure the port to be silent for 30 seconds after intrusion protection is triggered.

[Switch-Ethernet1/0/1] port-security intrusion-mode disableport-temporarily

[Switch-Ethernet1/0/1] quit

[Switch] port-security timer disableport 30

 


Port Binding Configuration

When configuring port binding, go to these sections for information you are interested in:

l          Port Binding Overview

l          Displaying and Maintaining Port Binding Configuration

l          Port Binding Configuration Example

Port Binding Overview

Introduction

Port binding enables the network administrator to bind the MAC address and IP address of a user to a specific port. After the binding, the switch forwards only the packets received on the port whose MAC address and IP address are identical with the bound MAC address and IP address. This improves network security and enhances security monitoring.

Configuring Port Binding

Follow these steps to configure port binding:

To do...

Use the command...

Remarks

Enter system view

system-view

Bind the MAC address and IP address of a user to a specific port

In system view

am user-bind mac-addr mac-address ip-addr ip-address interface interface-type interface-number

Either is required.

By default, no user MAC address or IP address is bound to a port.

In Ethernet port view

interface interface-type interface-number

am user-bind mac-addr mac-address ip-addr ip-address

 

l          An IP address can be bound to only one port at a time.

l          A MAC address can be bound to only one port at a time.

 

Displaying and Maintaining Port Binding Configuration

To do...

Use the command...

Remarks

Display port binding information

display am user-bind [ interface interface-type interface-number | ip-addr ip-address  | mac-addr mac-address ]

Available in any view

 

Port Binding Configuration Example

Port Binding Configuration Example

Network requirements

It is required to bind the MAC and IP addresses of Host A to Ethernet 1/0/1 on Switch A, so as to prevent malicious users from using the IP address they steal from Host A to access the network.

Network diagram

Figure 2-1 Network diagram for port binding configuration

 

Configuration procedure

Configure Switch A as follows:

# Enter system view.

<SwitchA> system-view

# Enter Ethernet 1/0/1 port view.

[SwitchA] interface Ethernet 1/0/1

# Bind the MAC address and the IP address of Host A to Ethernet 1/0/1.

[SwitchA-Ethernet1/0/1] am user-bind mac-addr 0001-0002-0003 ip-addr 10.12.1.1

  • Cloud & AI
  • InterConnect
  • Intelligent Computing
  • Security
  • SMB Products
  • Intelligent Terminal Products
  • Product Support Services
  • Technical Service Solutions
All Services
  • Resource Center
  • Policy
  • Online Help
All Support
  • Become a Partner
  • Partner Resources
  • Partner Business Management
All Partners
  • Profile
  • News & Events
  • Online Exhibition Center
  • Contact Us
All About Us
新华三官网