- Community Home
- >
- Networking
- >
- Switching and Routing
- >
- Comware Based
- >
- Re: Port Security on A5500
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-12-2014 09:39 AM
05-12-2014 09:39 AM
Hello,
I am trying to get my HP 5120 and 5500 switches setup to run port-security similar to how my Cisco switches do it. Essentialy I have a port with a data and voice VLAN, and I want to limit the max number of MAC addresses on the port to 2 (phone and PC). Any addresses over 2 should not be allowed on the network. The port should remain operational for the first 2 MACs. If the port goes down the MAC addresses learned on the port should reset (not be sticky)
Here is what I have put together based on the reading I have done, but curious if someone out there has a similar configuration working. What I am not getting is the clearing of the learned mac addresses once a host disconnects.
port-security enable
#
interface GigabitEthernet1/0/4
port link-type hybrid
undo port hybrid vlan 1
port hybrid vlan 18 tagged
speed auto 10 100
port hybrid vlan 17 untagged
port hybrid pvid vlan 17
undo voice vlan mode auto
voice vlan 18 enable
port-security max-mac-count 2
port-security port-mode autoLearn
port-security mac-address dynamic
port-security intrusion-mode blockmac
poe enable
stp edged-port enable
qos trust dscp
There is also a precaution listed in the documentation...
Before enabling port security, be sure to disable 802.1x and MAC authentication globally
Is this something that is disabled by default or do I need to specify this in the config?
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-13-2014 03:47 PM
05-13-2014 03:47 PM
Re: Port Security on A5500
802.1x and MAC authentication are disabled by default, so there should be no problem for you if you haven't specifically enabled them.
I'm curious to know why you're using hybrid ports for this rather than trunk ports - any particular reason?
Paul
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-15-2014 10:16 AM
05-15-2014 10:16 AM
Re: Port Security on A5500
Thanks for replying. I found out by adding
"port-security timer autolearn aging 2" to the global config
and
"port-security mac-address aging-type inactivity" to each port
it seems to give me what I am looking for. This causes the learned macs to reset after 2 minutes. I will reply back with more details as I test it further.
In terms of the hybrid port configuration, thats a great question. I sort of inherited this port configuration and admit that I am not very familiar with these switches in general. I know in most cases we have older Cisco phones (7941 and the like) that are connected to the switchports. Is there a more optimal config we could be using on these user facing ports?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-15-2014 04:47 PM
05-15-2014 04:47 PM
Re: Port Security on A5500
Hi jkusner,
I don't think there's anything wrong with using hybrid ports, and they should function identically to trunk ports in this scenario. I was merely curious.
I'm interested to hear about your results in testing those commands.
Paul
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-06-2014 05:54 AM
06-06-2014 05:54 AM
Re: Port Security on A5500
This is how I do it:
On the physical interface:
mac-address max-mac-count 10
On the VLAN-interface:
ipv6 neighbors max-learning-num 20
This way not more than 10 mac addresses will be learned on the physical interface, when client disconnects this is reset.
The IPv6 stuff on the VLAN-interface is to do the same but for IPv6 (where ND is used instead of ARP).
The reason for why that IPv6 value is higher than the mac one is because IPv6 by design always have a link local even if it learns a global unicast address.
This means if you with the above mac limit expect not more than 10 clients on this interface the above value for ND is the equal (10 IPv6 clients would mean that 20 neighbours would be learned).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-07-2014 03:33 AM - edited 06-07-2014 03:40 AM
06-07-2014 03:33 AM - edited 06-07-2014 03:40 AM
Re: Port Security on A5500
For IPv6 port security take a look at "SAVI", too.
http://www.ietf.org/proceedings/78/slides/savi-4.pdf
http://www.ietf.org/proceedings/80/slides/savi-2.pdf
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-07-2014 07:48 AM
06-07-2014 07:48 AM
Re: Port Security on A5500
The main drawback with SAVI is that both the network equipment along with the clients connecting to it must have support for it to work.
In my case I have solved it with one VLAN per client which is achieved thanks to Protocol-VLAN feature of HP A-series.
Example (not the full config is presented but so you get an idea):
On Access-switch:
#
vlan 100
description R1
protocol-vlan 0 mode ethernetii etype 0806
protocol-vlan 4 ipv4
#
vlan 101
description 01_CUSTOMER
protocol-vlan 6 ipv6
#
...
#
vlan 148
description 48_CUSTOMER
protocol-vlan 6 ipv6
#
#
interface GigabitEthernet1/0/1
description 01_CUSTOMER
port link-type hybrid
undo port hybrid vlan 1
port hybrid vlan 100 101 untagged
broadcast-suppression pps 100
multicast-suppression pps 100
unicast-suppression pps 100
undo jumboframe enable
port hybrid protocol-vlan vlan 100 0
port hybrid protocol-vlan vlan 100 4
port hybrid protocol-vlan vlan 101 6
packet-filter 3101 inbound
packet-filter ipv6 3101 inbound
stp disable
undo ndp enable
undo lldp enable
lldp admin-status disable
mac-address max-mac-count 10
mac-address information enable added
port-isolate enable
#
On router:
#
ipv6 dhcp prefix-pool 1 prefix 2001:DB8:1234:100::/56 assign-len 64
#
#
ipv6 dhcp pool 1
network 2001:DB8:1234:F101::/64 preferred-lifetime 3600 valid-lifetime 86400
prefix-pool 1 preferred-lifetime 3600 valid-lifetime 86400
dns-server 2001:4860:4860::8888
dns-server 2001:4860:4860::8844
#
#
interface Vlan-interface100
description SW1
ipv6 address 2001:DB8:1234:F100::1/126
ipv6 address FE80::F100:1 link-local
ip address 192.0.2.62 255.255.255.192
local-proxy-arp enable
#
#
interface Vlan-interface101
description SW1_01_CUSTOMER
ipv6 nd ra prefix 2001:DB8:1234:F101::/64 86400 3600
undo ipv6 nd ra halt
ipv6 nd autoconfig managed-address-flag
ipv6 nd autoconfig other-flag
ipv6 neighbors max-learning-num 20
ipv6 address 2001:DB8:1234:F101::1/64
ipv6 address FE80::F101:1 link-local
ipv6 dhcp server apply pool 1 allow-hint preference 255 rapid-commit
#
The above gives that for IPv4 the design is (that is ethertype of the packet is identified by Protocol-VLAN and put in the correct VLAN):
All clients in SW1 are on the same VLAN (100) but port-isolate along with local-proxy-arp makes sure the clients cannot speak directly to each other (the packets must pass R1/the uplink). This way the clients are isolated against each other at L2 level but can still communicate with each other at L3 (if you wish).
While for IPv6 the design is (again, Protocol-VLAN applies its magic):
Each client is in their own VLAN (101 to 148 depending on which physical interface they are connected to). This also gives that the majority of the IPv6 security issues are now isolated away - its only equipment from the same client which exists on the same VLAN. This also gives that the client can now choose from using static ip, SLAAC or DHCPv6 (along with DHCPv6-PD when HP fixes the reported bug regarding routing is not properly updated when the internal DHCP6-server servces a PD to the client).
Like a win-win situation =)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-07-2014 08:37 AM
06-07-2014 08:37 AM
Re: Port Security on A5500
For SAVI, the clients don´t need any support. That´s switch/DHCP magic.Did I miss something?
Hm, first you "port-isolate" the clients and afterwards "proxy-arp". I actually nevery tried that one. This works as expected? I really have to try out this myself...
I´m actually asking myself what traffic you filter with 3101 on IP/IPv6.
I once started with filtering all variants of IPv6/ICMPv6/RA till I tried out THC...and had a "not supported by hardware" for IPv6 ACLs...
What do you filter on IPv4?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-07-2014 09:29 AM
06-07-2014 09:29 AM
Re: Port Security on A5500
Port-isolate and local-proxy-arp has only effect on IPv4 traffic in my case (thanks to Protocol-VLAN). That is because with IPv4 all clients are on the same VLAN but port-isolate isolates them on L2 level. That is they are only allowed to speak to uplink. The switch the clients are connected to is a A5120EI.
Then on the uplink sits a A5820 acting as a router. The A5820 has an ip set on interface vlan 100, this ip is what the clients will use as default gateway.
client(s) <-> A5120 (SWx, acting L2-device) <-> A5820 (Rx, acting L3-device)
The local-proxy-arp will arp the mac of A5820 in case it see a request from the A5120 asking for "who has ip <clientX>". Local-proxy-arp will only proxy-arp for the range configured on the int vlan 100 (compared to a regular proxy-arp who proxy-arps for any request).
This way clientX at SW1 who arps for "who has ip <clientY>" will get a response from A5820 saying "I have ip <clientY>, my mac is <mac of A5820>". ClientX sends then the packets to A5820 (which it thinks is clientY), A5820 will then send the packet to the true clientY by returning the packet on the same interface. If you dont wish this you can setup an ACL to block this (and disable local-proxy-arp).
The ACLs on each physical interface towards the client(s) will filter based on sourceip basically.
For example client connected to gi 1/0/1 is only allowed to use IPv4 192.0.2.1, client on gi 1/0/2 is only allowed to use IPv4 192.0.2.2 etc (of course these ip addresses are just examples).
The same goes for IPv6 but here I allow the DHCP6 stuff, link local stuff with /64 mask along with the global unicast address assigned to this client (both the /64 announced through SLAAC but also the additional /56 being routed towards the client).
Then on the infrastructure ACLs (ACL sitting on the interfaces between switch/routers) I filter whole nets along with which ports I wish to drop. For example dropping incoming RFC1918 traffic on uplink towards Internet, along with stuff such as TCP/UDP 135-139, 445, 1900 and whatever you might dislike :-)
So far roughly 10% of our customers use IPv6 (intentionally or not =) while looking at the dropped packets like TCP/UDP 135-139 there are far more evil clients out on the Internet using IPv4 than using IPv6... so far at least... but this will change as more and more clients start to use IPv6.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-27-2014 07:58 AM
06-27-2014 07:58 AM
Re: Port Security on A5500
I ended up using the below and it seems to be working:
interface GigabitEthernet7/0/21
port link-mode bridge
port link-type hybrid
undo port hybrid vlan 1
port hybrid vlan 18 tagged
port hybrid vlan 17 untagged
port hybrid pvid vlan 17
undo voice vlan mode auto
voice vlan 18 enable
speed auto 10 100
poe enable
stp edged-port enable
qos trust dscp
port-security max-mac-count 3
port-security port-mode autolearn
port-security intrusion-mode blockmac
port-security mac-address dynamic
port-security mac-address aging-type inactivity
However, just using something like "mac-address max-mac-count 3" sure seems easier. What are the drawbacks and advtanges of either way?