Login
- Table of Contents
-
- H3C S5500-SI Series Ethernet Switches Operation Manual(V1.01)
- 00-1Cover
- 00-2Overview
- 01-Login Configuration
- 02-VLAN Configuration
- 03-IP Addressing and IP Performance Configuration
- 04-QinQ-BPDU TUNNEL Configuration
- 05-Port Correlation Configuration
- 06-Link Aggregation Configuration
- 07-MAC Address Table Management Configuration
- 08-Port Security Configuration
- 09-MSTP Configuration
- 10-IPv6 Configuration
- 11-IP Routing Overview Configuration
- 12-IPv4 Routing Configuration
- 13-IPv6 Routing Configuration
- 14-Multicast Configuration
- 15-802.1x-HABP-MAC Authentication Configuration
- 16-AAA-RADIUS-HWTACACS Configuration
- 17-ARP Configuration
- 18-DHCP Configuration
- 19-ACL Configuration
- 20-QoS Configuration
- 21-Port Mirroring Configuration
- 22-UDP Helper Configuration
- 23-Cluster Management Configuration
- 24-SNMP-RMON Configuration
- 25-NTP Configuration
- 26-DNS Configuration
- 27-File System Management Configuration
- 28-Information Center Configuration
- 29-System Maintaining and Debugging Configuration
- 30-NQA Configuration
- 31-SSH Configuration
- 32-Track Configuration
- 33-PoE Configuration
- 34-SSL-HTTPS Configuration
- 35-PKI Configuration
- 36-Stack Management Configuration
- 37-Appendix
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 08-Port Security Configuration | 155 KB |
Table of Contents
Chapter 1 Port Security Configuration
1.1 Introduction to Port Security
1.2 Port Security Configuration Task List
1.3.1 Configuration Prerequisites
1.4 Setting the Maximum Number of Secure MAC Addresses
1.5 Setting the Port Security Mode
1.5.1 Enabling the autoLearn Mode
1.5.2 Enabling the userLoginWithOUI Mode
1.5.3 Enabling any other Port Security Mode
1.6 Configuring Port Security Features
1.6.2 Configuring Intrusion Protection
1.7 Configuring Secure MAC Addresses
1.7.1 Configuration Prerequisites
1.8 Ignoring the Authorization Information from the Server
1.9 Displaying and Maintaining Port Security
1.10 Port Security Configuration Examples
1.10.1 Port Security Configuration for autoLearn Mode
1.10.2 Port Security Configuration for userLoginWithOUI Mode
1.10.3 Port Security Configuration for macAddressElseUserLoginSecure Mode
1.11 Troubleshooting Port Security
1.11.1 Cannot Set the Port Security Mode
1.11.2 Cannot Configure Secure MAC Addresses
1.11.3 Cannot Change Port Security Mode When a User Is Online
Chapter 1 Port Security Configuration
When configuring port security, go to these sections for information you are interested in:
l Introduction to Port Security
l Port Security Configuration Task List
l Displaying and Maintaining Port Security
l Port Security Configuration Examples
l Troubleshooting Port Security
1.1 Introduction to Port Security
1.1.1 Port Security Overview
Port security is a MAC address-based security mechanism for network access controlling. It is an extension to the existing 802.1x authentication and MAC authentication. It controls the access of unauthorized devices to the network by checking the source MAC address of an inbound frame and the access to unauthorized devices by checking the destination MAC address of an outbound frame.
With port security, you can define various port security modes to make a device learn only legal source MAC addresses, so that you can implement different network security management as needed. When a port security-enabled device detects an illegal frame, it triggers the corresponding port security feature and takes a pre-defined action automatically. This reduces your maintenance workload and greatly enhances system security.
The following types of frames are classified as illegal:
l Received frames with unknown source MAC addresses when MAC address learning is disabled.
l Received frames with unknown source MAC addresses when the number of MAC addresses learned by the port has already reached the upper limit.
l Frames from unauthenticated users.
1.1.2 Port Security Features
I. NTK
The need to know (NTK) feature checks the destination MAC addresses in outbound frames and allows frames to be sent to only devices passing authentication, thus preventing illegal devices from intercepting network traffic.
II. Intrusion protection
The intrusion protection feature checks the source MAC addresses in inbound frames and takes a pre-defined action accordingly upon detecting illegal frames. The action may be disabling the port temporarily, disabling the port permanently, or blocking frames with the MAC address for three minutes (unmodifiable).
III. Trap
The trap feature enables the device to send trap messages upon detecting specified frames that result from, for example, intrusion or user login/logout operations, helping you monitor special activities.
1.1.3 Port Security Modes
Table 1-1 details the port security modes.
|
Security mode |
Description |
Features |
|
noRestrictions |
Port security is disabled on the port and access to the port is not restricted. |
In this mode, neither the NTK nor the intrusion protection feature is triggered. |
|
autoLearn |
In this mode, a port can learn a specified number of MAC addresses and save those addresses as secure MAC addresses. It permits only frames whose source MAC addresses are secure MAC addresses or static MAC addresses configured by using the mac-address static command. When the number of secure MAC addresses reaches the upper limit, the port changes to work in secure mode. |
In either mode, the device will trigger NTK and intrusion protection upon detecting an illegal frame. |
|
secure |
In this mode, a port is disabled from learning MAC addresses and permits only frames whose source MAC addresses are secure MAC addresses or static MAC addresses configured by using the mac-address static command. |
|
|
userLogin |
In this mode, a port performs 802.1x authentication of users in portbased mode. |
In this mode, neither NTK nor intrusion protection will be triggered. |
|
userLoginSecure |
In this mode, a port performs 802.1x authentication of users in portbased mode and services only one user passing 802.1x authentication. |
In any of these modes, the device will trigger NTK and intrusion protection upon detecting an illegal frame. |
|
userLoginWithOUI |
Similar to the userLoginSecure mode, a port in this mode performs 802.1x authentication of users and services only one user passing 802.1x authentication. A MAC address being a specified OUI (organizationally unique identifier) are also allowed on the port. |
|
|
macAddressWithRadius |
In this mode, a port performs MAC authentication of users. |
|
|
macAddressOrUserLoginSecure |
This mode is the combination of the userLoginSecure and macAddressWithRadius modes, with 802.1x authentication having a higher priority. the port performs MAC authentication upon receiving non-8021.x frames and performs 802.1x authentication first upon receiving 802.1x frames. If 802.1x authentication fails, the port performs MAC authentication. |
|
|
macAddressElseUserLoginSecure |
This mode is the combination of the macAddressWithRadius and userLoginSecure modes, with MAC authentication having a higher priority. l Upon receiving a non-802.1x frame, a port in this mode performs only MAC authentication. l Upon receiving an 802.1x frame, the port performs MAC authentication and then, if MAC authentication fails, 802.1x authentication. |
|
|
userLoginSecureExt |
In this mode, a port performs 802.1x authentication of users in macbased mode and supports multiple concurrent users. |
|
|
macAddressOrUserLoginSecureExt |
This mode is similar to macAddressOrUserLoginSecure mode. The difference is that this mode allows a port to support multiple 802.1x and MAC authentication users. |
|
|
macAddressElseUserLoginSecureExt |
This mode is similar to macAddressElseUserLoginSecure mode. The difference is that this mode allows a port to support multiple 802.1x and MAC authentication users. |
& Note:
l Currently, port security supports two authentication methods: 802.1x and MAC authentication. Different port security modes employ different authentication method or different combinations of authentication methods.
l The maximum number of authenticated users that a port can support is the smaller one between the maximum number of secure MAC addresses and the maximum number of concurrent users that the mode of the port supports.
1.2 Port Security Configuration Task List
Complete the following tasks to configure port security:
|
Task |
Remarks |
|
|
Required |
||
|
Optional |
||
|
Required |
||
|
Optional Choose one or more features as required. |
||
|
Optional |
||
|
Optional |
||
1.3 Enabling Port Security
1.3.1 Configuration Prerequisites
Before enabling port security, you need to disable 802.1x and MAC authentication globally.
1.3.2 Configuration Procedure
Follow these steps to enable port security:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Enable port security |
port-security enable |
Required Disabled by default |
Note that:
1) Enabling port security resets the following configurations on a port to the defaults bracketed, making them dependent completely on the port security mode:
l 802.1x (disabled), port access control method (macbased), and port access control mode (auto)
l MAC authentication (disabled)
2) Disabling port security resets the following configurations on a port to the defaults bracketed:
l Port security mode (noRestrictions)
l 802.1x (disabled), port access control method (macbased), and port access control mode (auto)
l MAC authentication (disabled)
3) Port security cannot be disabled if there is any user present on a port.
& Note:
For configuration information about 802.1x authentication and MAC authentication, refer to 802.1x-HABP-MAC Authentication Configuration.
1.4 Setting the Maximum Number of Secure MAC Addresses
With port security enabled, more than one authenticated user is allowed on a port. The number of authenticated users allowed, however, cannot exceed the specified upper limited.
By setting the maximum number of secure MAC addresses allowed on a port, you can
l Control the maximum number of users who are allowed access the network through the port
l Control the number of secure MAC addresses that can be added with port security
This configuration is different from that of the maximum number of MAC addresses that can be leaned by the port in MAC address management.
Follow these steps to set the maximum number of secure MAC addresses allowed on a port:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Enter Ethernet port view |
interface interface-type interface-number |
— |
|
Set the maximum number of secure MAC addresses allowed on a port |
port-security max-mac-count count-value |
Required Not limited by default |
1.5 Setting the Port Security Mode
Before setting the port security mode, ensure that:
l 802.1x is disabled, the port access control method is macbased, and the port access control mode is auto.
l MAC authentication is disabled.
Otherwise, you will see an error message and your configuration will fail.
On the other hand, after setting the port security mode on a port, you cannot change any of the above configurations.
& Note:
l With port security disabled, you can configure the port security mode but your configuration does not take effect.
l With port security enabled, you can change the port security mode of a port only when the port is operating in noRestrictions mode, the default mode. You can use the undo port-security port-mode command to restore the default port security mode.
l You cannot change the port security mode of a port when any user is present on the port.
l Configuration of port security mode and aggregation are mutually exclusive. You cannot configure both of them on a port.
1.5.1 Enabling the autoLearn Mode
I. Configuration prerequisites
Before enabling the autoLearn mode, you need to set the maximum number of secure MAC addresses allowed on the port.
II. Configuration procedure
Follow these steps to enable the autoLearn mode:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Enter Ethernet port view |
interface interface-type interface-number |
— |
|
Enable the autoLearn mode |
port-security port-mode autolearn |
Required By default, a port operates in noRestrictions mode. |
& Note:
When a port operates in autoLearn mode, you cannot change the maximum number of secure MAC addresses allowed on the port.
1.5.2 Enabling the userLoginWithOUI Mode
In userLoginWithOUI mode, a port supports one 802.1x user as well as users whose MAC addresses have an OUI value among the specified ones.
Follow these steps to enable the userLoginWithOUI mode:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Set an OUI value for user authentication |
port-security oui oui-value index index-value |
Optional Not configured by default |
|
Enter Ethernet port view |
interface interface-type interface-number |
— |
|
Enable the userLoginWithOUI mode |
port-security port-mode userlogin-withoui |
Required By default, a port operates in noRestrictions mode. |
& Note:
l An organizationally unique identifier (OUI), the left-most 24 bits of a MAC address, is a globally unique identifier assigned by IEEE to a certain manufacturer.
l You can configure multiple OUI values.
1.5.3 Enabling any other Port Security Mode
Follow these steps to enable any other port security mode:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Enter Ethernet port view |
interface interface-type interface-number |
— |
|
Set the port security mode |
port-security port-mode { mac-authentication | mac-else-userlogin-secure | mac-else-userlogin-secure-ext | secure | userlogin | userlogin-secure | userlogin-secure-ext | userlogin-secure-or-mac | userlogin-secure-or-mac-ext } |
Required By default, a port operates in noRestrictions mode. |
& Note:
On a port operating in either macAddressElseUserLoginSecure mode or macAddressElseUserLoginSecureExt mode, intrusion protection is triggered only after both MAC authentication and 802.1x authentication for the same frame fail.
1.6 Configuring Port Security Features
1.6.1 Configuring NTK
Follow these steps to configure the NTK feature:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Enter Ethernet port view |
interface interface-type interface-number |
— |
|
Configure the NTK feature |
port-security ntk-mode { ntk-withbroadcasts | ntk-withmulticasts | ntkonly } |
Required Be default, NTK is disabled on a port and all frames are allowed to be sent. |
1.6.2 Configuring Intrusion Protection
Follow these steps to configure the intrusion protection feature:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Enter Ethernet port view |
interface interface-type interface-number |
— |
|
Configure the intrusion protection feature |
port-security intrusion-mode { blockmac | disableport | disableport-temporarily } |
Required By default, intrusion protection is disabled. |
|
Return to system view |
quit |
— |
|
Set the silence timeout during which a port remains disabled |
port-security timer disableport time-value |
Optional 20 seconds by default |
& Note:
If you configure the port-security intrusion-mode command with the disableport-temporarily keyword, you can use the port-security timer disableport command to set the silence timeout during which a port remains disabled.
1.6.3 Configuring Trapping
Follow these steps to configure port security trapping:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Enable port security traps |
port-security trap { addresslearned | dot1xlogfailure | dot1xlogoff | dot1xlogon | intrusion | ralmlogfailure | ralmlogoff | ralmlogon } |
Required By default, no port security trap is enabled. |
1.7 Configuring Secure MAC Addresses
Secure MAC addresses are special MAC addresses. They never age out or get lost if saved before the device restarts. One secure MAC address can be added to only one port in the same VLAN. Thus, you can bind a MAC address to one port in the same VLAN.
Secure MAC addresses can be learned by a port working in autoLearn mode. You can also manually configure them through the command line interface (CLI) or management information base (MIB).
1.7.1 Configuration Prerequisites
l Enable port security
l Set the maximum number of secure MAC addresses allowed on the port
l Set the port security mode to autoLearn
1.7.2 Configuration Procedure
Follow these steps to configure a secure MAC address:
|
To do… |
Use the command… |
Remarks |
|
|
Enter system view |
system-view |
— |
|
|
Configure a secure MAC address |
In system view |
port-security mac-address security mac-address interface interface-type interface-number vlan vlan-id |
Required Use either approach No secure MAC address is configured by default. |
|
In Ethernet port view |
interface interface-type interface-number |
||
|
port-security mac-address security mac-address vlan vlan-id |
|||
& Note:
The configured secure MAC addresses are saved in the configuration file and will not get lost when the port goes up or goes down. After you save the configuration file, the secure MAC address saved in the configuration file are maintained even after the device restarts.
1.8 Ignoring the Authorization Information from the Server
After an 802.1x user or MAC authenticated user passes RADIUS authentication, the RADIUS server delivers the authorization information to the device. You can configure a port to ignore the authorization information from the RADIUS server.
Follow these steps to configure a port to ignore the authorization information from the RADIUS server:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Enter Ethernet port view |
interface interface-type interface-number |
— |
|
Ignore the authorization information from the RADIUS server |
port-security authorization ignore |
Required By default, a port uses the authorization information from the RADIUS server. |
1.9 Displaying and Maintaining Port Security
|
To do… |
Use the command… |
Remarks |
|
Display port security configuration information, operation information, and statistics about one or more ports or all ports |
display port-security [ interface interface-list ] |
Available in any view |
|
Display information about secure MAC addresses |
display port-security mac-address security [ interface interface-type interface-number ] [ vlan vlan-id ] [ count ] |
Available in any view |
|
Display information about blocked MAC addresses |
display port-security mac-address block [ interface interface-type interface-number ] [ vlan vlan-id ] [ count ] |
Available in any view |
1.10 Port Security Configuration Examples
1.10.1 Port Security Configuration for autoLearn Mode
I. Network requirements
Restrict port GigabitEthernet 1/0/1 of the switch as follows:
l Allow up to 64 users to access the port without authentication and permit the port to learn and add the MAC addresses of the users as secure MAC addresses.
l After the number of secure MAC addresses reaches 64, the port stops learning MAC addresses. If any frame with an unknown MAC address arrives, intrusion protection is triggered and the port is disabled and stays silence for 30 seconds.
II. Network diagram
Figure 1-1 Network diagram for port security configuration for autoLearn mode
III. Configuration procedure
1) Configure port security
# Enable port security.
<Switch> system-view
[Switch] port-security enable
# Enable intrusion protection trap.
[Switch] port-security trap intrusion
[Switch] interface gigabitethernet 1/0/1
# Set the maximum number of secure MAC addresses allowed on the port to 64.
[Switch-GigabitEthernet1/0/1] port-security max-mac-count 64
# Set the port security mode to autoLearn.
[Switch-GigabitEthernet1/0/1] port-security port-mode autolearn
# Configure the port to be silent for 30 seconds after the intrusion protection feature is triggered.
[Switch-GigabitEthernet1/0/1] port-security intrusion-mode disableport-temporarily
[Switch-GigabitEthernet1/0/1] quit
[Switch] port-security timer disableport 30
2) Verify the configuration
After completing the above configurations, you can use the following command to view the port security configuration information:
<Switch> display port-security interface gigabitethernet 1/0/1
Equipment port-security is enabled
Intrusion trap is enabled
Disableport Timeout: 30s
OUI value:
GigabitEthernet1/0/1 is link-up
Port mode is autoLearn
NeedToKnow mode is disabled
Intrusion Protection mode is DisablePortTemporarily
Max MAC address number is 64
Stored MAC address number is 0
Authorization is permitted
As shown in the output, the maximum number of secure MAC addresses allowed on the port is 64, the port security mode is autoLearn, the intrusion protection trap is enabled, and the intrusion protection action is to keep the port temporarily (DisablePortTemporarily) for 30 seconds.
You can also use the above command repeatedly to track the number of MAC addresses learned by the port, or use the display this command in Ethernet port view to display the secure MAC addresses learned, as shown below:
<Switch> system-view
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] display this
#
interface GigabitEthernet1/0/1
port-security max-mac-count 64
port-security port-mode autolearn
port-security mac-address security 0002-0000-0015 vlan 1
port-security mac-address security 0002-0000-0014 vlan 1
port-security mac-address security 0002-0000-0013 vlan 1
port-security mac-address security 0002-0000-0012 vlan 1
port-security mac-address security 0002-0000-0011 vlan 1
#
Issuing the display port-security interface command after the number of MAC addresses learned by the port reaches 64, you will see that the port security mode has changed to secure. When any frame with a new MAC address arrives, intrusion protection is triggered and you will see trap messages as follows:
#May 2 03:15:55:871 2000 Switch PORTSEC/1/VIOLATION:Traph3cSecureViolation
A intrusion occurs!
IfIndex: 9437207
Port: 9437207
MAC Addr: 0.2.0.0.0.21
VLAN ID: 1
IfAdminStatus: 1
In addition, you will see that the port security feature has disabled the port if you issue the following command:
<Switch-GigabitEthernet1/0/1> display interface gigabitethernet 1/0/1
GigabitEthernet1/0/1 current state: Port Security Disabled
IP Packet Frame Type: PKTFMT_ETHNT_2, Hardware Address: 000f-cb00-5558
Description: GigabitEthernet1/0/1 Interface
......
The port should be re-enabled 30 seconds later.
[Switch-GigabitEthernet1/0/1] display interface gigabitethernet 1/0/1
GigabitEthernet1/0/1 current state: UP
IP Packet Frame Type: PKTFMT_ETHNT_2, Hardware Address: 000f-cb00-5558
Description: GigabitEthernet1/0/1 Interface
......
Now, if you manually delete several secure MAC addresses, the port security mode of the port will be restored to autoLearn, and the port will be able to learn MAC addresses again.
1.10.2 Port Security Configuration for userLoginWithOUI Mode
I. Network requirements
The client is connected to the switch through port GigabitEthernet 1/0/1. The switch authenticates the client by the RADIUS server. If the authentication succeeds, the client is authorized to access the Internet.
Restrict port GigabitEthernet 1/0/1 of the switch as follows:
l Allow only one 802.1x user to be authenticated.
l Allow up to 16 OUI values to be configured and allow one additional user whose MAC address has an OUI among the configured ones to access the port.
II. Network diagram
Figure 1-2 Network diagram for port security configuration for userLoginWithOUI mode
III. Configuration procedure
& Note:
l The following configuration steps cover some AAA/RADIUS configuration commands. For details about the commands, refer to AAA-RADIUS-HWTACACS Configuration.
l Configurations on the host and RADIUS servers are omitted.
1) Configure the RADIUS protocol
# Create a RADIUS scheme named radsun.
<Switch> system-view
[Switch] radius scheme radsun
# Set the IP addresses of the primary authentication and accounting servers to 192.168.1.1 and 192.168.1.2 respectively.
[Switch-radius-radsun] primary authentication 192.168.1.1
[Switch-radius-radsun] primary accounting 192.168.1.2
# Set the IP addresses of the secondary authentication and accounting servers to 192.168.1.2 and 192.168.1.1 respectively.
[Switch-radius-radsun] secondary authentication 192.168.1.2
[Switch-radius-radsun] secondary accounting 192.168.1.1
# Set the encryption key for the switch to use when interacting with the authentication server to name.
[Switch-radius-radsun] key authentication name
# Set the encryption key for the switch to use when interacting with the accounting server to money.
[Switch-radius-radsun] key accounting money
# Set the RADIUS server response timeout time to five seconds and the maximum number of RADIUS packet retransmission attempts to 5.
[Switch-radius-radsun] timer response-timeout 5
[Switch-radius-radsun] retry 5
# Set the interval at which the switch sends real-time accounting packets to the RADIUS server to 15 minutes.
[Switch-radius-radsun] timer realtime-accounting 15
# Specify that the switch sends user names without domain names to the RADIUS server.
[Switch-radius-radsun] user-name-format without-domain
[Switch-radius-radsun] quit
# Create an ISP domain named sun and enter its view.
[Switch] domain sun
# Configure the ISP domain to use RADIUS scheme radsun as its default RADIUS scheme.
[Switch-isp-sun] authentication default radius-scheme radsun
# Allow the ISP domain to accommodate up to 30 users.
[Switch-isp-sun] access-limit enable 30
[Switch-isp-sun] quit
2) Configure port security
# Enable port security.
[Switch] port-security enable
# Add five OUI values.
[Switch] port-security oui 1234-0100-1111 index 1
[Switch] port-security oui 1234-0200-1111 index 2
[Switch] port-security oui 1234-0300-1111 index 3
[Switch] port-security oui 1234-0400-1111 index 4
[Switch] port-security oui 1234-0500-1111 index 5
[Switch] interface gigabitethernet 1/0/1
# Set the port security mode to userLoginWithOUI.
[Switch-GigabitEthernet1/0/1] port-security port-mode userlogin-withoui
3) Verify the configuration
After completing the above configurations, you can use the following command to view the configuration information of the RADIUS scheme named radsun:
<Switch> display radius scheme radsun
SchemeName = radsun
Index = 0 Type = standard
Primary Auth IP = 192.168.1.1 Port = 1812 State = active
Primary Acct IP = 192.168.1.2 Port = 1813 State = active
Second Auth IP = 192.168.1.2 Port = 1812 State = active
Second Acct IP = 192.168.1.1 Port = 1813 State = active
Auth Server Encryption Key = name
Acct Server Encryption Key = money
Accounting-On packet disable, send times = 5 , interval = 3s
Interval for timeout(second) = 5
Retransmission times for timeout = 5
Interval for realtime accounting(minute) = 15
Retransmission times of realtime-accounting packet = 5
Retransmission times of stop-accounting packet = 500
Quiet-interval(min) = 5
Username format = without-domain
Data flow unit = Byte
Packet unit = one
Use the following command to view the configuration information of the ISP domain named sun:
<Switch> display domain sun
Domain = sun
State = Active
Access-limit = 30
Accounting method = Required
Default authentication scheme : radius=radsun
Default authorization scheme : local
Default accounting scheme : local
Domain User Template:
Idle-cut = Disable
Self-service = Disable
Use the following command to view the port security configuration information:
<Switch> display port-security interface gigabitethernet 1/0/1
Equipment port-security is enabled
Trap is disabled
Disableport Timeout: 20s
OUI value:
Index is 1, OUI value is 123401
Index is 2, OUI value is 123402
Index is 3, OUI value is 123403
Index is 4, OUI value is 123404
Index is 5, OUI value is 123405
GigabitEthernet1/0/1 is link-up
Port mode is userLoginWithOUI
NeedToKnow mode is disabled
Intrusion Protection mode is NoAction
Max MAC address number is not configured
Stored MAC address number is 0
Authorization is permitted
After an 802.1x user gets online, you can see that the number of secure MAC addresses stored is 1. You can also use the following command to view information about 802.1x users:
<Switch> display dot1x interface gigabitethernet 1/0/1
Equipment 802.1X protocol is enabled
CHAP authentication is enabled
Configuration: Transmit Period 30 s, Handshake Period 15 s
Quiet Period 60 s, Quiet Period Timer is disabled
Supp Timeout 30 s, Server Timeout 100 s
The maximal retransmitting times 2
EAD quick deploy configuration:
EAD timeout: 30 m
The maximum 802.1X user resource number is 1024 per slot
Total current used 802.1X resource number is 1
GigabitEthernet1/0/1 is link-up
802.1X protocol is enabled
Handshake is enabled
The port is an authenticator
Authentication Mode is Auto
Port Control Type is Mac-based
802.1X Multicast-trigger is enabled
Guest VLAN: 0
Max number of on-line users is 256
EAPOL Packet: Tx 16331, Rx 102
Sent EAP Request/Identity Packets : 16316
EAP Request/Challenge Packets: 6
EAP Success Packets: 4, Fail Packets: 5
Received EAPOL Start Packets : 6
EAPOL LogOff Packets: 2
EAP Response/Identity Packets : 80
EAP Response/Challenge Packets: 6
Error Packets: 0
1. Authenticated user : MAC address: 0002-0000-0011
Controlled User(s) amount to 1
In addition, the port allows an additional user whose MAC address has an OUI among the specified OUIs to access the port. You can use the following command to view the related information:
<Switch> display mac-address interface gigabitethernet 1/0/1
MAC ADDR VLAN ID STATE PORT INDEX AGING TIME(s)
1234-0300-0011 1 Learned GigabitEthernet1/0/1 AGING
--- 1 mac address(es) found ---
1.10.3 Port Security Configuration for macAddressElseUserLoginSecure Mode
I. Network requirements
The client is connected to the switch through GigabitEthernet 1/0/1. The switch authenticates the client by the RADIUS server. If the authentication succeeds, the client is authorized to access the Internet.
Restrict port GigabitEthernet 1/0/1 of the switch as follows:
l Allow more than one MAC authenticated user to log on.
l For 802.1x users, perform MAC authentication first and then, if MAC authentication fails, 802.1x authentication. Allow only one 802.1x user to log on.
l For MAC-based authentication, allow usernames and passwords in self-defined formats. Set the total number of MAC authenticated users and 802.1x-authenticated users to 64.
l Enable NTK to prevent frames from being sent to unknown MAC addresses.
II. Network diagram
See Figure 1-2.
III. Configuration procedure
& Note:
Configurations on the host and RADIUS servers are omitted.
1) Configure the RADIUS protocol
The required RADIUS authentication/accounting configurations are the same as those in Port Security Configuration for userLoginWithOUI Mode.
2) Configure port security
# Enable port security.
<Switch> system-view
[Switch] port-security enable
# Configure a MAC authentication user, setting the user name and password to aaa and 123456 respectively.
[Switch] mac-authentication user-name-format fixed account aaa password simple 123456
[Switch] interface gigabitethernet 1/0/1
# Set the maximum number of secure MAC addresses allowed on the port to 64.
[Switch-GigabitEthernet1/0/1] port-security max-mac-count 64
# Set the port security mode to macAddressElseUserLoginSecure.
[Switch-GigabitEthernet1/0/1] port-security port-mode mac-else-userlogin-secure
# Set the NTK mode of the port to ntkonly.
[Switch-GigabitEthernet1/0/1] port-security ntk-mode ntkonly
3) Verify the configuration
After completing the above configurations, you can use the following command to view the port security configuration information:
<Switch> display port-security interface gigabitethernet 1/0/1
Equipment port-security is enabled
Trap is disabled
Disableport Timeout: 20s
OUI value:
GigabitEthernet1/0/1 is link-up
Port mode is macAddressElseUserLoginSecure
NeedToKnow mode is NeedToKnowOnly
Intrusion Protection mode is NoAction
Max MAC address number is 64
Stored MAC address number is 0
Authorization is permitted
Use the following command to view MAC authentication information:
<Switch> display mac-authentication interface gigabitethernet 1/0/1
MAC address authentication is enabled.
User name format is fixed account
Fixed username:aaa
Fixed password:123456
Offline detect period is 300s
Quiet period is 60s
Server response timeout value is 100s
The max allowed user number is 1024 per slot
Current user number amounts to 0
Current domain: not configured, use default domain
Silent MAC User info:
MAC Addr From Port Port Index
GigabitEthernet1/0/1 is link-up
MAC address authentication is enabled
Authenticate success: 3, failed: 1
Current online user number is 3
MAC Addr Authenticate State Auth Index
1234-0300-0011 MAC_AUTHENTICATOR_SUCCESS 13
1234-0300-0012 MAC_AUTHENTICATOR_SUCCESS 14
1234-0300-0013 MAC_AUTHENTICATOR_SUCCESS 15
Use the following command to view 802.1x authentication information:
<Switch> display dot1x interface gigabitethernet 1/0/1
Equipment 802.1X protocol is enabled
CHAP authentication is enabled
Configuration: Transmit Period 30 s, Handshake Period 15 s
Quiet Period 60 s, Quiet Period Timer is disabled
Supp Timeout 30 s, Server Timeout 100 s
The maximal retransmitting times 2
EAD quick deploy configuration:
EAD timeout: 30 m
The maximum 802.1X user resource number is 1024 per slot
Total current used 802.1X resource number is 1
GigabitEthernet1/0/1 is link-up
802.1X protocol is enabled
Handshake is enabled
The port is an authenticator
Authentication Mode is Auto
Port Control Type is Mac-based
802.1X Multicast-trigger is enabled
Guest VLAN: 0
Max number of on-line users is 256
EAPOL Packet: Tx 16331, Rx 102
Sent EAP Request/Identity Packets : 16316
EAP Request/Challenge Packets: 6
EAP Success Packets: 4, Fail Packets: 5
Received EAPOL Start Packets : 6
EAPOL LogOff Packets: 2
EAP Response/Identity Packets : 80
EAP Response/Challenge Packets: 6
Error Packets: 0
1. Authenticated user : MAC address: 0002-0000-0011
Controlled User(s) amount to 1
1.11 Troubleshooting Port Security
1.11.1 Cannot Set the Port Security Mode
I. Symptom
Cannot set the port security mode.
[Switch-GigabitEthernet1/0/1] port-security port-mode autolearn
Error:When we change port-mode, we should first change it to noRestrictions, then change it to the other.
II. Analysis
For a port working in a port security mode other than noRestrictions, you cannot change the port security mode by using the port-security port-mode command directly.
III. Solution
Set the port security mode to noRestrictions first.
[Switch-GigabitEthernet1/0/1] undo port-security port-mode
[Switch-GigabitEthernet1/0/1] port-security port-mode autolearn
1.11.2 Cannot Configure Secure MAC Addresses
I. Symptom
Cannot configure secure MAC addresses.
[Switch-GigabitEthernet1/0/1] port-security mac-address security 1-1-2 vlan 1
Error:Can not operate security MAC address for current port mode is not autoLearn!
II. Analysis
No secure MAC address can be configured on a port operating in a port security mode other than autoLearn.
III. Solution
Set the port security mode to autoLearn.
[Switch-GigabitEthernet1/0/1] undo port-security port-mode
[Switch-GigabitEthernet1/0/1] port-security max-mac-count 64
[Switch-GigabitEthernet1/0/1] port-security port-mode autolearn
[Switch-GigabitEthernet1/0/1] port-security mac-address security 1-1-2 vlan 1
1.11.3 Cannot Change Port Security Mode When a User Is Online
I. Symptom
Port security mode cannot be changed when an 802.1x-authenticated or MAC authenticated user is online.
[Switch-GigabitEthernet1/0/1] undo port-security port-mode
Error:Cannot configure port-security for there is 802.1X user(s) on line on port GigabitEthernet1/0/1.
II. Analysis
Changing port security mode is not allowed when an 802.1x-authenticated or MAC authenticated user is online.
III. Solution
Use the cut command to forcibly disconnect the user from the port before changing the port security mode.
[Switch-GigabitEthernet1/0/1] cut connection interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] undo port-security port-mode
