HPE Community
Comware Based
1752577 Members
4902 Online
108788 Solutions
New Discussion

Port Security on A5500

 
SOLVED
Go to solution
jkusner
Visitor

‎05-12-2014 09:39 AM

‎05-12-2014 09:39 AM

Port Security on A5500

Hello,

 

I am trying to get my HP 5120 and 5500 switches setup to run port-security similar to how my Cisco switches do it. Essentialy I have a port with a data and voice VLAN, and I want to limit the max number of MAC addresses on the port to 2 (phone and PC). Any addresses over 2 should not be allowed on the network. The port should remain operational for the first 2 MACs. If the port goes down the MAC addresses learned on the port should reset (not be sticky)

 

Here is what I have put together based on the reading I have done, but curious if someone out there has a similar configuration working. What I am not getting is the clearing of the learned mac addresses once a host disconnects.

 

port-security enable

#

interface GigabitEthernet1/0/4
port link-type hybrid
undo port hybrid vlan 1
port hybrid vlan 18 tagged
speed auto 10 100
port hybrid vlan 17 untagged
port hybrid pvid vlan 17
undo voice vlan mode auto
voice vlan 18 enable

port-security max-mac-count 2

port-security port-mode autoLearn

port-security mac-address dynamic

port-security intrusion-mode blockmac
poe enable
stp edged-port enable
qos trust dscp

 

There is also a precaution listed in the documentation...

 Before enabling port security, be sure to disable 802.1x and MAC authentication globally

 

Is this something that is disabled by default or do I need to specify this in the config?

13 REPLIES 13
paulgear
Esteemed Contributor

‎05-13-2014 03:47 PM

‎05-13-2014 03:47 PM

Re: Port Security on A5500

Hi jkusner,

802.1x and MAC authentication are disabled by default, so there should be no problem for you if you haven't specifically enabled them.

I'm curious to know why you're using hybrid ports for this rather than trunk ports - any particular reason?
Regards,
Paul
0 Kudos
jkusner
Visitor

‎05-15-2014 10:16 AM

‎05-15-2014 10:16 AM

Re: Port Security on A5500

Thanks for replying. I found out by adding

 

"port-security timer autolearn aging 2" to the global config

 

and 


"port-security mac-address aging-type inactivity" to each port

 

it seems to give me what I am looking for. This causes the learned macs to reset after 2 minutes. I will reply back with more details as I test it further.

 

In terms of the hybrid port configuration, thats a great question. I sort of inherited this port configuration and admit that I am not very familiar with these switches in general. I know in most cases we have older Cisco phones (7941 and the like) that are connected to the switchports. Is there a more optimal config we could be using on these user facing ports?

 

0 Kudos
paulgear
Esteemed Contributor

‎05-15-2014 04:47 PM

‎05-15-2014 04:47 PM

Re: Port Security on A5500

Hi jkusner,

 

I don't think there's anything wrong with using hybrid ports, and they should function identically to trunk ports in this scenario.  I was merely curious.

 

I'm interested to hear about your results in testing those commands.

Regards,
Paul
0 Kudos
Apachez-
Trusted Contributor

‎06-06-2014 05:54 AM

‎06-06-2014 05:54 AM

Re: Port Security on A5500

This is how I do it:

 

On the physical interface:

 

 mac-address max-mac-count 10

On the VLAN-interface:

 

 ipv6 neighbors max-learning-num 20

This way not more than 10 mac addresses will be learned on the physical interface, when client disconnects this is reset.

 

The IPv6 stuff on the VLAN-interface is to do the same but for IPv6 (where ND is used instead of ARP).

 

The reason for why that IPv6 value is higher than the mac one is because IPv6 by design always have a link local even if it learns a global unicast address.

 

This means if you with the above mac limit expect not more than 10 clients on this interface the above value for ND is the equal (10 IPv6 clients would mean that 20 neighbours would be learned).

0 Kudos
MichaelM55
Trusted Contributor

‎06-07-2014 03:33 AM - edited ‎06-07-2014 03:40 AM

‎06-07-2014 03:33 AM - edited ‎06-07-2014 03:40 AM

Re: Port Security on A5500

For IPv6 port security take a look at "SAVI", too.

 

http://www.ietf.org/proceedings/78/slides/savi-4.pdf

http://www.ietf.org/proceedings/80/slides/savi-2.pdf

 

Apachez-
Trusted Contributor

‎06-07-2014 07:48 AM

‎06-07-2014 07:48 AM

Re: Port Security on A5500

The main drawback with SAVI is that both the network equipment along with the clients connecting to it must have support for it to work.

In my case I have solved it with one VLAN per client which is achieved thanks to Protocol-VLAN feature of HP A-series.

Example (not the full config is presented but so you get an idea):

On Access-switch:

#
vlan 100
 description R1
 protocol-vlan 0 mode ethernetii etype 0806
 protocol-vlan 4 ipv4
#
vlan 101
 description 01_CUSTOMER
 protocol-vlan 6 ipv6
#
...
#
vlan 148
 description 48_CUSTOMER
 protocol-vlan 6 ipv6
#

#
interface GigabitEthernet1/0/1
 description 01_CUSTOMER
 port link-type hybrid
 undo port hybrid vlan 1
 port hybrid vlan 100 101 untagged
 broadcast-suppression pps 100
 multicast-suppression pps 100
 unicast-suppression pps 100
 undo jumboframe enable
 port hybrid protocol-vlan vlan 100 0
 port hybrid protocol-vlan vlan 100 4
 port hybrid protocol-vlan vlan 101 6
 packet-filter 3101 inbound
 packet-filter ipv6 3101 inbound
 stp disable
 undo ndp enable
 undo lldp enable
 lldp admin-status disable
 mac-address max-mac-count 10
 mac-address information enable added
 port-isolate enable
#

On router:

#
 ipv6 dhcp prefix-pool 1 prefix 2001:DB8:1234:100::/56 assign-len 64
#

#
ipv6 dhcp pool 1
 network 2001:DB8:1234:F101::/64 preferred-lifetime 3600 valid-lifetime 86400
 prefix-pool 1 preferred-lifetime 3600 valid-lifetime 86400
 dns-server 2001:4860:4860::8888
 dns-server 2001:4860:4860::8844
#

#
interface Vlan-interface100
 description SW1
 ipv6 address 2001:DB8:1234:F100::1/126
 ipv6 address FE80::F100:1 link-local
 ip address 192.0.2.62 255.255.255.192
 local-proxy-arp enable
#

#
interface Vlan-interface101
 description SW1_01_CUSTOMER
 ipv6 nd ra prefix 2001:DB8:1234:F101::/64 86400 3600
 undo ipv6 nd ra halt
 ipv6 nd autoconfig managed-address-flag
 ipv6 nd autoconfig other-flag
 ipv6 neighbors max-learning-num 20
 ipv6 address 2001:DB8:1234:F101::1/64
 ipv6 address FE80::F101:1 link-local
 ipv6 dhcp server apply pool 1 allow-hint preference 255 rapid-commit
#



The above gives that for IPv4 the design is (that is ethertype of the packet is identified by Protocol-VLAN and put in the correct VLAN):

All clients in SW1 are on the same VLAN (100) but port-isolate along with local-proxy-arp makes sure the clients cannot speak directly to each other (the packets must pass R1/the uplink). This way the clients are isolated against each other at L2 level but can still communicate with each other at L3 (if you wish).

While for IPv6 the design is (again, Protocol-VLAN applies its magic):

Each client is in their own VLAN (101 to 148 depending on which physical interface they are connected to). This also gives that the majority of the IPv6 security issues are now isolated away - its only equipment from the same client which exists on the same VLAN. This also gives that the client can now choose from using static ip, SLAAC or DHCPv6 (along with DHCPv6-PD when HP fixes the reported bug regarding routing is not properly updated when the internal DHCP6-server servces a PD to the client).

Like a win-win situation =)

MichaelM55
Trusted Contributor

‎06-07-2014 08:37 AM

‎06-07-2014 08:37 AM

Re: Port Security on A5500

For SAVI, the clients don´t need any support. That´s switch/DHCP magic.Did I miss something?

 

Hm, first you "port-isolate" the clients and afterwards "proxy-arp". I actually nevery tried that one. This works as expected? I really have to try out this myself...

 

I´m actually asking myself what traffic you filter with 3101 on IP/IPv6.

I once started with filtering all variants of IPv6/ICMPv6/RA  till I tried out THC...and had a "not supported by hardware" for IPv6 ACLs...

 

What do you filter on IPv4?

 

Apachez-
Trusted Contributor

‎06-07-2014 09:29 AM

‎06-07-2014 09:29 AM

Re: Port Security on A5500

Port-isolate and local-proxy-arp has only effect on IPv4 traffic in my case (thanks to Protocol-VLAN). That is because with IPv4 all clients are on the same VLAN but port-isolate isolates them on L2 level. That is they are only allowed to speak to uplink. The switch the clients are connected to is a A5120EI.

 

Then on the uplink sits a A5820 acting as a router. The A5820 has an ip set on interface vlan 100, this ip is what the clients will use as default gateway.

 

client(s) <-> A5120 (SWx, acting L2-device) <-> A5820 (Rx, acting L3-device)

 

The local-proxy-arp will arp the mac of A5820 in case it see a request from the A5120 asking for "who has ip <clientX>". Local-proxy-arp will only proxy-arp for the range configured on the int vlan 100 (compared to a regular proxy-arp who proxy-arps for any request).

 

This way clientX at SW1 who arps for "who has ip <clientY>" will get a response from A5820 saying "I have ip <clientY>, my mac is <mac of A5820>". ClientX sends then the packets to A5820 (which it thinks is clientY), A5820 will then send the packet to the true clientY by returning the packet on the same interface. If you dont wish this you can setup an ACL to block this (and disable local-proxy-arp).

 

The ACLs on each physical interface towards the client(s) will filter based on sourceip basically.

 

For example client connected to gi 1/0/1 is only allowed to use IPv4 192.0.2.1, client on gi 1/0/2 is only allowed to use IPv4 192.0.2.2 etc (of course these ip addresses are just examples).

 

The same goes for IPv6 but here I allow the DHCP6 stuff, link local stuff with /64 mask along with the global unicast address assigned to this client (both the /64 announced through SLAAC but also the additional /56 being routed towards the client).

 

Then on the infrastructure ACLs (ACL sitting on the interfaces between switch/routers) I filter whole nets along with which ports I wish to drop. For example dropping incoming RFC1918 traffic on uplink towards Internet, along with stuff such as TCP/UDP 135-139, 445, 1900 and whatever you might dislike :-)

 

So far roughly 10% of our customers use IPv6 (intentionally or not =) while looking at the dropped packets like TCP/UDP 135-139 there are far more evil clients out on the Internet using IPv4 than using IPv6... so far at least... but this will change as more and more clients start to use IPv6.

jkusner
Visitor

‎06-27-2014 07:58 AM

‎06-27-2014 07:58 AM

Re: Port Security on A5500

I ended up using the below and it seems to be working:

 

interface GigabitEthernet7/0/21
port link-mode bridge
port link-type hybrid
undo port hybrid vlan 1
port hybrid vlan 18 tagged
port hybrid vlan 17 untagged
port hybrid pvid vlan 17
undo voice vlan mode auto
voice vlan 18 enable
speed auto 10 100
poe enable
stp edged-port enable
qos trust dscp
port-security max-mac-count 3
port-security port-mode autolearn
port-security intrusion-mode blockmac
port-security mac-address dynamic
port-security mac-address aging-type inactivity

 

However, just using something like "mac-address max-mac-count 3" sure seems easier. What are the drawbacks and advtanges of either way?

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.