HPE Community
Comware Based
1751781 Members
4347 Online
108781 Solutions
New Discussion

Port Security on A5500

 
SOLVED
Go to solution
Apachez-
Trusted Contributor

‎06-27-2014 11:58 PM

‎06-27-2014 11:58 PM

Re: Port Security on A5500

Using "mac-address max-mac-count" basically means that you limit how many mac-addresses can be learned for a particular interface. The interface will still forward traffic (both inbound and outbound) even if max-mac-count has been reached.

 

What this means is that when a frame arrives through the uplink the switch doesnt have the mac-addresses in its mac-address-table and by that the frame will be considered to be a DLF (Destination Lookup Failure). When a frame is classified as DLF it will be broadcasted on all interfaces which belongs to this particular VLAN except the interface where the frame arrived at.

 

This way the control-plane will be protected (in terms of mac-stuff) so not the whole switch will become a hub (otherwise a single host could overflow the mac-address-table with thousands or tens of thousands of mac-addresses which basically makes the switch into a hub due to the DLF stuff described above).

 

Port-security is more granular in what you can do once max-limit is reached, for example shutdown the interface for one minute or two, or permanently shutdown the interface (so an admin must login and "undo shutdown" the interface before it will restart to forward frames again).

 

If im not mistaken "mac-address max-mac-count" will also reset number of learned mac-addresses for a particular interface once the client disconnects while port-security can be configured to "never forget".

0 Kudos
Apachez-
Trusted Contributor

‎06-28-2014 09:53 AM

‎06-28-2014 09:53 AM

Solution

Re: Port Security on A5500

I went through the manual and came up with the following configuration should be sane if you want to use port-security automatically (that is without having to manually add/remove allowed mac-addresses):

 

System-level:
port-security enable
port-security trap
port-security timer autolearn aging 5

Interface-level:
port-security intrusion-mode blockmac
port-security mac-address aging-type inactivity
port-security mac-address dynamic
port-security max-mac-count 10
port-security ntk-mode ntkonly
port-security port-mode autolearn

 

With the following comments:

 

System-level:

 

> port-security enable

This one is needed to enable port-security, otherwise interface-level configurations regarding port-security will be ignored (as I understand it).

 

> port-security trap

To get SNMP-traps when stuff happends with port-security. You can also limit this to only get for example intrusion traps. Default is no traps so if you dont want traps then dont configure this.

 

> port-security timer autolearn aging 5

You need to configure this (the above means 5mins, which matches regular mac-address learning which is 300 seconds (= 5mins)) if you want the "aging-type inactivity" to function, unless I misunderstood these lines from the manual?

 

"

If only an aging timer is configured, the aging timer counts up regardless of whether traffic data has been sent from the sticky MAC address. When you use an aging timer together with the inactivity aging function, the aging timer restarts once traffic data is detected from the sticky MAC address. The inactivity aging function prevents the unauthorized use of a secure MAC address when the authorized user is offline, and removes outdated secure MAC addresses so new secure MAC addresses can be learned.

"

 

Interface-level:

 

>port-security intrusion-mode blockmac

This will act as a srcmac filter. If the mac-address doesnt match the allowed list created by port-security the frame will be dropped. Other intrusion-modes is for example to shutdown the interface but thats more offensive against the user since that would affect all traffic, even already learned allowed mac-addresses.

 

>port-security mac-address aging-type inactivity

See comment above for "timer autolearn aging".

 

>port-security mac-address dynamic

Learned mac-addresses will be considered to be dynamic and not saved in the configuration file between reboots. However if you manually configure a static entry that static entry will survive reboots.

 

>port-security max-mac-count 10

Max number of allowed learned mac-addresses by the port-security.

 

>port-security ntk-mode ntkonly

If "intrusion-mode blockmac" is for incoming frames on the interface this is for outgoing frames:

 

"
By default, NTK is disabled on a port and all frames are allowed to be sent.

The need to know (NTK) feature checks the destination MAC addresses in outbound frames to allow
frames to be sent to only devices passing authentication, preventing illegal devices from intercepting
network traffic.
"

 

However im not sure what the proper setting would be here when you use autolearning - anyone with experience from this? Or isnt NTK valid when you use autolearn?

 

> port-security port-mode autolearn
Basically how port-security should function. The above will basically be in passive mode, that is no 802.1x or mac-authentication is involved.

0 Kudos
jkusner
Visitor

‎07-01-2014 07:48 AM

‎07-01-2014 07:48 AM

Re: Port Security on A5500

Thanks everyone for the feedback.

0 Kudos
Apachez-
Trusted Contributor

‎07-04-2014 03:50 PM

‎07-04-2014 03:50 PM

Re: Port Security on A5500

Just a small addition:

 

It turns out that you cant just do "port-security trap" to enable all traps, you must enable each trap on its own - like so:

 

port-security trap intrusion
port-security trap addresslearned

 

Also, if you wish to use the ntk-feature this setting (not confirmed) might be your best option if you also want to do IPv6 (which use multicast instead of broadcast as with IPv4 to perform neighbour detection etc):

 

port-security ntk-mode ntk-withmulticasts

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.