HP A 5120 Manual

							 
141 
 MAC  learning  control—Includes  two  modes,  autoLearn  and  secure.  MAC  address  learning  is 
permitted on a port in autoLearn mode and disabled in secure mode.  
 Authentication—Security  modes  of  this  category  use  MAC  authentication,  802.1X  authentication, or 
their combinations to implement authentication. 
Upon receiving a frame, the port in a security mode searches the MAC address table for the source MAC 
address.  If  a  match  is  found,  the  port  forwards  the  frame.  If  no  match  is  found,  the  port  learns  the  MAC 
address  or  performs  authentication,  depending  on  the  security  mode.  If  an  illegal  frame  or  event  is 
detected, the port takes the pre-defined NTK, intrusion protection, or trapping action. 
Table 10 describes the port security modes and the security features. 
Table 10 Port security modes 
On the port, if you want 
to… Use the security mode… Features that can 
be triggered 
Turn off the port security feature 
noRestrictions (the default mode) 
In this mode, port security is disabled on the port 
and access to the port is not restricted. 
— 
Control MAC address learning autoLearn NTK/intrusion 
protection secure 
Perform 802.1X authentication 
userLogin — 
userLoginSecure  
NTK/intrusion 
protection userLoginSecureExt 
userLoginWithOUI 
Perform MAC authentication macAddressWithRadius NTK/intrusion 
protection 
Perform a combination of MAC 
authentication and 802.1X 
authentication 
Or macAddressOrUserLoginSecure 
NTK/intrusion 
protection 
macAddressOrUserLoginSecureExt  
Else macAddressElseUserLoginSecure  
macAddressElseUserLoginSecureExt  
 TIP: 
These security mode naming rules may help you remember the modes: 
 userLogin specifies 802.1X authentication and port-based access control. 
 macAddress specifies MAC address authentication. 
 Else specifies that the authentication method before Else is applied first. If the authentication fails, whether 
to turn to the authentication method following Else depends on the protocol type of the authentication 
request. 
 In a security mode with Or, the authentication method to be used depends on the protocol type of the 
authentication request.  
 userLogin with Secure specifies 802.1X authentication and MAC-based access control. 
 Ext indicates allowing multiple 802.1X users to be authenticated and serviced at the same time. A security 
mode without Ext allows only one user to pass 802.1X authentication. 
 
Control MAC address learning 
1. autoLearn   
						

							 
142 
A  port  in  this  mode  can  learn  MAC  addresses,  and  allows  frames  from  learned  or  configured  MAC 
addresses to  pass.  The  automatically  learned  MAC  addresses  are  secure  MAC  addresses.  You  can  also 
configure  secure  MAC  addresses  by  using  the port-security  mac-address  security command.  A  secure 
MAC address never ages out by default. 
In  addition,  you  can  configure  MAC  addresses  manually  by  using  the mac-address  dynamic and mac-
address static commands for a port in autoLearn mode. 
When the number of secure MAC addresses reaches the upper limit, the port transitions to secure mode. 
On a  port  operating  in  autoLearn  mode,  the  dynamic  MAC  address  learning  function in  MAC  address 
management is disabled. 
2. secure 
MAC address learning is disabled on a port in secure mode. You can configure MAC addresses by using 
the mac-address static and mac-address dynamic commands. 
A port  in  secure  mode  allows  only  frames  sourced  from  secure  MAC  addresses  and  MAC  addresses 
manually configured to pass. 
Perform 802.1X authentication 
1. userLogin 
A port  in  this  mode  performs  802.1X  authentication  and  implements  port-based  access  control. The  port 
can service multiple 802.1X users. If one 802.1X user passes authentication, all the other 802.1X users of 
the port can access the network without authentication. 
2. userLoginSecure 
A port in this mode performs 802.1X authentication and implements MAC-based access control. The port 
services only one user passing 802.1X authentication. 
3. userLoginSecureExt 
This  mode  is  similar  to  the userLoginSecure mode  except  that  this  mode supports  multiple online 802.1X 
users. 
4. userLoginWithOUI 
This  mode  is  similar  to  the userLoginSecure  mode. The difference  is  that  a  port  in  this  mode  also  permits 
frames from one user whose MAC address contains a specified organizationally unique identifier (OUI).  
For  wired  users,  the  port  performs  802.1X  authentication  upon  receiving  802.1X  frames,  and performs 
OUI check upon receiving non-802.1X frames.  
Perform MAC authentication 
macAddressWithRadius: A port in this mode performs MAC authentication and services multiple users.  
Perform a combination of MAC authentication and 802.1X authentication 
1. macAddressOrUserLoginSecure 
This mode is the combination of the macAddressWithRadius and userLoginSecure modes.  
For wired users, the  port  performs MAC  authentication upon  receiving non-802.1X frames and  performs 
802.1X authentication upon receiving 802.1X frames. 
2. macAddressOrUserLoginSecureExt 
This mode is similar to the macAddressOrUserLoginSecure mode except that a port in this mode supports 
multiple 802.1X and MAC authentication users.  
						

							 
143 
3. macAddressElseUserLoginSecure 
This mode  is  the  combination  of  the  macAddressWithRadius  and  userLoginSecure  modes,  with  MAC 
authentication having a higher priority as the Else keyword implies.  
For  non-802.1X  frames,  a  port  in  this  mode  performs  only  MAC  authentication.  For  802.1X  frames,  it 
performs MAC authentication and then, if the authentication fails, 802.1X authentication.  
4. macAddressElseUserLoginSecureExt 
This  mode  is  similar  to  the macAddressElseUserLoginSecure mode  except  that a  port  in  this  mode 
supports multiple 802.1X and MAC authentication users as the keyword Ext implies.  
 NOTE: 
 The maximum number of users a port supports equals the maximum number of secure MAC addresses or the 
maximum number of authenticated users the security mode supports, whichever is smaller.  
 For more information about configuring MAC address table entries, see the Layer 2—LAN Switching Command 
Reference.  
Support for guest VLAN and Auth-Fail VLAN 
An 802.1X guest VLAN is the VLAN that a user is in before initiating authentication. An 802.1X Auth-Fail 
VLAN  or  a  MAC  authentication  guest  VLAN  is  the  VLAN  that  a  user  is  in  after  failing  authentication. 
Support for the guest VLAN and Auth-Fail VLAN features varies with security modes. 
 You can use the 802.1X guest VLAN and 802.1X Auth-Fail VLAN features together with port security 
modes  that  support  802.1X  authentication.  For  more  information  about  the  802.1X  guest  VLAN and 
Auth-Fail  VLAN  on  a  port  that  performs  MAC-based  access  control,  see the  chapter ―802.1X 
configuration.‖ 
 You  can  use  the  MAC  authentication  VLAN  feature  together  with  security  modes  that  support  MAC 
authentication.  For  more  information  about  the  MAC  authentication  guest  VLAN,  see the  chapter 
―MAC authentication configuration.‖  
 NOTE: 
If you configure both an 802.1X Auth-Fail VLAN and a MAC authentication guest VLAN on a port that 
performs MAC-based access control, the 802.1X Auth-Fail VLAN has a higher priority.  
Port security configuration task list 
Complete the following tasks to configure port security: 
Task Remarks 
Enabling port security Required 
Setting the maximum number of secure MAC addresses Optional 
Setting the port security mode Required 
Configuring port security 
features 
Configuring NTK Optional 
Configure one or more 
features as required. 
Configuring intrusion protection 
Configuring port security traps 
Configuring secure MAC addresses Optional  
						

							 
144 
Task Remarks 
Ignoring authorization information from the server Optional 
 
Enabling port security 
Configuration prerequisites 
Disable 802.1X and MAC authentication globally.  
Configuration procedure 
Follow these steps to enable port security: 
To do… Use the command… Remarks 
Enter system view system-view — 
Enable port security port-security enable Required 
Disabled by default. 
 
1. Enabling port security resets the following configurations on a port to the bracketed defaults. Then, 
values of these configurations cannot be changed manually; the system will adjust them based on 
the port security mode automatically: 
 802.1X (disabled), port access control method (macbased), and port authorization mode (auto) 
 MAC authentication (disabled) 
2. Disabling port security resets the following configurations on a port to the bracketed defaults: 
 Port security mode (noRestrictions) 
 802.1X (disabled), port access control method (macbased), and port authorization mode (auto) 
 MAC authentication (disabled) 
3. Port security cannot be disabled when a user is present on a port.  
 NOTE: 
 For more information about 802.1X configuration, see the chapter “802.1X configuration.”  
 For more information about MAC authentication configuration, see the chapter “MAC authentication 
configuration.”  
Setting the maximum number of secure MAC 
addresses 
The  maximum  number  of  users  a  port supports  in  a  port security mode  is  determined  by the  maximum 
number  of  secure  MAC  addresses  or  the  maximum  number  of  authenticated  users that the  security  mode 
supports, whichever is smaller. 
By  setting  the  maximum  number  of  MAC  addresses  allowed  on  a  port,  you  can implement  the  following 
control:  
						

							 
145 
 Control the number of secure MAC addresses that a port can learn for port security. 
 Control the maximum number of users who are allowed to access the network through the port. 
Follow these steps to set the maximum number of secure MAC addresses allowed on a port: 
To do… Use the command… Remarks 
Enter system view system-view — 
Enter Layer 2 Ethernet interface 
view 
interface interface-type interface-
number — 
Set the maximum number of 
secure MAC addresses allowed 
on a port 
port-security max-mac-count 
count-value 
Required 
Not limited by default 
 
 NOTE: 
This configuration is independent of the MAC learning limit described in MAC address table 
configuration in the Layer 2—LAN Switching Configuration Guide.  
Setting the port security mode 
Configuration prerequisites 
Before you set a port security mode for a port, complete the following tasks: 
 Disable 802.1X and MAC authentication. 
 Set the port to perform MAC-based access control, and set the port authorization mode to auto. 
 Check the port does not belong to any aggregation group. 
The  requirements  above  must  be  all  met. Otherwise, an  error  message appears  when you set  a  security 
mode  on  the  port.  On  the  other  hand,  after  setting a port  security  mode on  a  port,  you  cannot  change 
any of the configurations above. 
 Before  you  configure  the  port  to  operate  in  autoLearn  mode,  set  the  maximum  number  of secure 
MAC addresses allowed on a port.  
 NOTE: 
 With port security disabled, you can configure a port security mode, but your configuration does not take effect. 
 You cannot change the port security mode of a port with users online.  
Configuration procedure 
Follow these steps to enable any other port security mode: 
To do… Use the command… Remarks 
Enter system view system-view — 
Set an OUI value for user 
authentication 
port-security oui oui-value index 
index-value 
Optional 
Not configured by default. 
The command is required for the 
userlogin-withoui mode.  
						

							 
146 
To do… Use the command… Remarks 
Enter Layer 2 Ethernet 
interface view 
interface interface-type interface-
number — 
Set the port security mode 
port-security port-mode { autolearn | 
mac-authentication | mac-else-
userlogin-secure | mac-else-
userlogin-secure-ext | secure | 
userlogin | userlogin-secure | 
userlogin-secure-ext | userlogin-
secure-or-mac | userlogin-secure-or-
mac-ext | userlogin-withoui } 
Required 
By default, a port operates in 
noRestrictions mode. 
 
 NOTE: 
 When a port operates in autoLearn mode, the maximum number of secure MAC addresses cannot be changed.  
 An OUI, as defined by the IEEE, is the first 24 bits of the MAC address, which uniquely identifies a device 
vendor.  
 You can configure multiple OUI values. However, a port in userLoginWithOUI mode allows only one 802.1X user 
and one user whose MAC address contains a specified OUI to pass authentication at the same time. 
 After enabling port security, you can change the port security mode of a port only when the port is operating in 
noRestrictions mode, the default mode. To change the port security mode for a port in any other mode, use the 
undo port-security port-mode command to restore the default port security mode first.  
Configuring port security features 
Configuring NTK 
The NTK feature checks the destination MAC addresses in outbound frames to make sure that frames are 
forwarded only to authenticated devices. Any unicast frame with an unknown destination MAC address is 
discarded. 
The NTK feature supports the following modes: 
 ntkonly—Forwards only unicast frames with authenticated destination MAC addresses.  
 ntk-withbroadcasts—Forwards only broadcast  frames  and unicast frames  with authenticated 
destination MAC addresses.  
 ntk-withmulticasts—Forwards only broadcast  frames,  multicast  frames,  and unicast frames  with 
authenticated destination MAC addresses. 
Follow these steps to configure the NTK feature: 
To do… Use the command… Remarks 
Enter system view system-view — 
Enter Layer 2 Ethernet interface 
view 
interface interface-type interface-
number —  
						

							 
147 
To do… Use the command… Remarks 
Configure the NTK feature 
port-security ntk-mode { ntk-
withbroadcasts | ntk-
withmulticasts | ntkonly } 
Required 
By default, NTK is disabled on a 
port and all frames are allowed to 
be sent. 
 
 NOTE: 
Support for the NTK feature depends on the port security mode.  
Configuring intrusion protection 
Intrusion protection enables a device to take one of the following actions in response to illegal frames: 
 blockmac—Adds  the  source  MAC  addresses  of  illegal frames to  the  blocked  MAC  addresses list 
and  discards the frames. All  subsequent  frames sourced  from  a  blocked MAC  address will  be 
dropped.  A  blocked  MAC address  is  restored  to  normal state after  being  blocked for  three  minutes. 
The interval is fixed and cannot be changed. 
 disableport—Disables the port until you bring it up manually. 
 disableport-temporarily—Disables  the  port  for  a  specified  period  of time. The  period  can  be 
configured with the port-security timer disableport command. 
Follow these steps to configure the intrusion protection feature: 
To do… Use the command… Remarks 
Enter system view system-view — 
Enter Layer 2 Ethernet interface 
view 
interface interface-type interface-
number — 
Configure the intrusion protection 
feature 
port-security intrusion-mode { 
blockmac | disableport | 
disableport-temporarily } 
Required 
By default, intrusion protection is 
disabled. 
Return to system view quit — 
Set the silence timeout period 
during which a port remains 
disabled 
port-security timer disableport 
time-value 
Optional 
20 seconds by default 
 
 NOTE: 
On a port operating in either the macAddressElseUserLoginSecure mode or the 
macAddressElseUserLoginSecureExt mode, intrusion protection is triggered only after both MAC 
authentication and 802.1X authentication for the same frame fail.  
Configuring port security traps 
You can configure the port security module to send traps for the following categories of events: 
 addresslearned—Learning of new MAC addresses. 
 dot1xlogfailure/dot1xlogon/dot1xlogoff—802.1X  authentication  failure/successful  802.1X 
authentication/802.1X user logoff.  
						

							 
148 
 ralmlogfailure/ralmlogon/ralmlogoff—MAC authentication  failure/MAC  authentication  user 
logon/MAC authentication user logoff. 
 intrusion—Detection of illegal frames. 
Follow these steps to enable port security traps: 
To do… Use the command… Remarks 
Enter system view system-view — 
Enable port security traps 
port-security trap { 
addresslearned | dot1xlogfailure 
| dot1xlogoff | dot1xlogon | 
intrusion | ralmlogfailure | 
ralmlogoff | ralmlogon } 
Required 
By default, port security traps are 
disabled. 
 
Configuring secure MAC addresses 
Secure  MAC  addresses are  MAC  addresses  configured  or  learned  in  autoLearn  mode.  They  can  survive 
link down/up events, and once saved, can survive a device reboot. You can bind a MAC address to only 
one port in a VLAN.  
Secure MAC addresses fall into static secure MAC addresses and sticky MAC addresses.  
Static  secure MAC  addresses  are  manually  configured  at  the  command  line  or  in  the  MIB  in  autoLearn 
mode.  No  aging  mechanism  is  available  for  this  type  of  MAC  address.  They  never  age  out  unless  you 
manually remove them, change the port security mode, or disable the port security feature. 
Sticky  MAC  addresses  include  dynamic  secure  MAC  addresses  manually  configured,  at  the  command 
line  interface  or  in  the  MIB,  and  dynamic  secure  MAC  addresses  learned  by  a  port  in  autoLearn  mode. 
These  MAC  addresses  are  sticky  because  unlike  normal  dynamic  MAC  addresses,  they  can  survive  link 
down/up events, and once saved, can survive a device reboot.  
By  default,  sticky  MAC  addresses  do  not  age  out. You  can  use the port-security  timer autolearn  aging 
command to  set  an aging  timer for  sticky  MAC  addresses. When  the  timer  expires, the sticky  MAC 
addresses  are  removed. This  aging  mechanism  prevents  the  unauthorized  use  of  a  sticky  MAC  address 
when  the  authorized  user  is  offline,  and  removes  outdated  secure  MAC  addresses  so  new  secure  MAC 
addresses can be learned.  
When the maximum number of secure MAC address entries is reached, the port changes to secure mode, 
and no more secure MAC addresses can be added or learned. The port allows only frames sourced from 
a secure  MAC  address  or a MAC  address configured with  the mac-address  dynamic or mac-address 
static command to pass through. 
Configuration prerequisites 
 Enable port security. 
 Set port  security’s  limit  on the  number  of  MAC  addresses on the port.  Perform  this  task  before  you 
enable autoLearn mode.  
 Set the port security mode to autoLearn. 
Configuration procedure 
Follow these steps to configure a secure MAC address:  
						

							 
149 
To do… Use the command… Remarks 
Enter system view system-view — 
Set the sticky MAC aging timer port-security timer autolearn aging time-
value 
Optional 
By default, sticky MAC 
addresses do not age out, 
and you can remove them 
only by performing the 
undo port-security mac-
address security 
command, changing the 
port security mode, or 
disabling the port security 
feature. 
Configure a 
secure MAC 
address 
In system view 
port-security mac-address security [ sticky ] 
mac-address interface interface-type 
interface-number vlan vlan-id Required 
Use either approach 
No secure MAC address 
is configured by default. 
In Layer 2 
Ethernet 
interface view 
interface interface-type interface-number 
port-security mac-address security [ sticky ] 
mac-address vlan vlan-id 
 
Ignoring authorization information from the server 
The  authorization  information is  delivered  by  the  RADIUS  server to  the  device after an  802.1X user  or 
MAC  authenticated  user  passes  RADIUS  authentication.  You  can  configure  a  port  to  ignore  the 
authorization information from the RADIUS server.  
Follow these steps to configure a port to ignore the authorization information from the RADIUS server: 
To do… Use the command… Remarks 
Enter system view system-view — 
Enter Layer 2 Ethernet interface 
view 
interface interface-type interface-
number — 
Ignore the authorization 
information from the RADIUS 
server 
port-security authorization ignore 
Required 
By default, a port uses the 
authorization information from the 
RADIUS server. 
 
Displaying and maintaining port security 
To do… Use the command… Remarks 
Display port security configuration 
information, operation 
information, and statistics about 
one or more ports or all ports 
display port-security [ interface 
interface-list ] [ | { begin | 
exclude | include } regular-
expression ]  
Available in any view  
						

							 
150 
To do… Use the command… Remarks 
Display information about secure 
MAC addresses 
display port-security mac-address 
security [ interface interface-type 
interface-number ] [ vlan vlan-id ] 
[ count ] [ | { begin | exclude | 
include } regular-expression ]  
Available in any view 
Display information about 
blocked MAC addresses 
display port-security mac-address 
block [ interface interface-type 
interface-number ] [ vlan vlan-id ] 
[ count ] [ | { begin | exclude | 
include } regular-expression ] 
Available in any view 
 
Port security configuration examples 
Configuring the autoLearn mode 
Network requirements 
Configure port GigabitEthernet 1/0/1 on the switch: 
 Allow up to 64 users on the port without authentication. 
 Permit the port to learn and add the MAC addresses as sticky MAC address, and set the sticky MAC 
aging timer to 30 minutes.  
 After  the  number  of  secure  MAC  addresses  reaches  64,  the  port  stops  learning  MAC  addresses.  If 
any  frame  with  an  unknown  MAC  address  arrives,  intrusion  protection  is  triggered  and  the  port  is 
disabled and stays silent for 30 seconds.  
Figure 47 Network diagram for configuring the autoLearn mode 
 
 
Configuration procedure 
1. Configure port security. 
# Enable port security.  
 system-view 
[Switch] port-security enable 
# Set the sticky MAC aging timer to 30 minutes. 
[Switch] port-security timer autolearn aging 30 
# Enable port security traps for intrusion protection.  
[Switch] port-security trap intrusion 
[Switch] interface gigabitethernet 1/0/1 
# Set the maximum number of secure MAC addresses allowed on the port to 64. 
[Switch-GigabitEthernet1/0/1] port-security max-mac-count 64 
# Set the port security mode to autoLearn.  Internet
SwitchHost 
GE1/0/1192.168.1.1/24