HP 5500 Ei 5500 Si Switch Series Configuration Guide
Have a look at the manual HP 5500 Ei 5500 Si Switch Series Configuration Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 1114 HP manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
![Page 1866
201
# Configure VLANs and IP addresses for the VLAN interfaces, and add ports to specific VLANs.
(Details not shown.)
# Enable DHCP.
system-view
[Switch] dhcp enable
# Exclude the IP address of the update server from assignment.
[Switch] dhcp server forbidden-ip 2.2.2.2
# Configure IP address pool 1, including the address range, lease and gateway address. A short
lease is recommended to shorten the time term inals use to re-acquire IP addresses after the
terminals passing or failing...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-1865.png "Page 1866
201
# Configure VLANs and IP addresses for the VLAN interfaces, and add ports to specific VLANs.
(Details not shown.)
# Enable DHCP.
system-view
[Switch] dhcp enable
# Exclude the IP address of the update server from assignment.
[Switch] dhcp server forbidden-ip 2.2.2.2
# Configure IP address pool 1, including the address range, lease and gateway address. A short
lease is recommended to shorten the time term inals use to re-acquire IP addresses after the
terminals passing or failing...")
![Page 1867
202
[Switch] portal local-server https server-policy sslsvr
# Configure IP address 4.4.4.4 for interface loopback 12.
[Switch] interface loopback 12
[Switch-LoopBack12] ip address 4.4.4.4 32
[Switch-LoopBack12] quit
# Specify the listening IP address of the local portal server as 4.4.4.4.
[Switch] portal local-server ip 4.4.4.4
# Enable Layer-2 portal authentication on GigabitEthernet 1/0/1 and specify VLAN 2 as the
Auth-Fail VLAN, to which terminals failing authentication are added.
[Switch]...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-1866.png "Page 1867
202
[Switch] portal local-server https server-policy sslsvr
# Configure IP address 4.4.4.4 for interface loopback 12.
[Switch] interface loopback 12
[Switch-LoopBack12] ip address 4.4.4.4 32
[Switch-LoopBack12] quit
# Specify the listening IP address of the local portal server as 4.4.4.4.
[Switch] portal local-server ip 4.4.4.4
# Enable Layer-2 portal authentication on GigabitEthernet 1/0/1 and specify VLAN 2 as the
Auth-Fail VLAN, to which terminals failing authentication are added.
[Switch]...")
![Page 1868
203
[Switch-radius-rs1] user-name-format without-domain
[Switch-radius-rs1] quit
9. Configure an ISP domain:
# Create an ISP domain named triple.
[Switch] domain triple
# Configure the default AAA methods for all types of users in the domain.
[Switch-isp-triple] authentication default radius-scheme rs1
[Switch-isp-triple] authorization default radius-scheme rs1
[Switch-isp-triple] accounting default radius-scheme rs1
[Switch-isp-triple] quit
# Configure domain triple as the default domain....](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-1867.png "Page 1868
203
[Switch-radius-rs1] user-name-format without-domain
[Switch-radius-rs1] quit
9. Configure an ISP domain:
# Create an ISP domain named triple.
[Switch] domain triple
# Configure the default AAA methods for all types of users in the domain.
[Switch-isp-triple] authentication default radius-scheme rs1
[Switch-isp-triple] authorization default radius-scheme rs1
[Switch-isp-triple] accounting default radius-scheme rs1
[Switch-isp-triple] quit
# Configure domain triple as the default domain....")
![Page 1869
204
0002-0002-0001 ffff-ffff-ffff 3 0 D
0015-88f8-0dd7 ffff-ffff-ffff 3 0 D
Total MAC VLAN address count:3
Use the display dhcp server ip-in-use command to view the IP addresses assigned to online users.
[Switch] display dhcp server ip-in-use all
Pool utilization: 0.59%
IP address Client-identifier/ Lease expiration Type
Hardware address
3.3.3.111 0015-88f8-0dd7 Dec 15 2009 17:40:52 Auto:C\
OMMITTED...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-1868.png "Page 1869
204
0002-0002-0001 ffff-ffff-ffff 3 0 D
0015-88f8-0dd7 ffff-ffff-ffff 3 0 D
Total MAC VLAN address count:3
Use the display dhcp server ip-in-use command to view the IP addresses assigned to online users.
[Switch] display dhcp server ip-in-use all
Pool utilization: 0.59%
IP address Client-identifier/ Lease expiration Type
Hardware address
3.3.3.111 0015-88f8-0dd7 Dec 15 2009 17:40:52 Auto:C\
OMMITTED...")
206 • MAC learning control —Includes two modes, autoLearn and secure. MAC address learning is permitted on a port in autoLearn mo de and disabled in secure mode. • Authentication —Security modes in this category implement MAC authentication, 802.1X authentication, or a combination of these two authentication methods. Upon receiving a frame, the port in a security mode searches the MAC address table for the source MAC address. If a match is found, the port forwards the fr ame. If no match is found, the port learns the MAC address or performs authentication, depending on the secu rity mode. If the frame is illegal, the port takes the pre-defined NTK, intrusion protection, or trapping action. The maximum number of users a port supports equals the maximum number of MAC addresses that port security allows or the maximum number of concurrent users the authentication mode in use allows, whichever is smaller. For example, if 802.1X allows more concurrent users than port securitys limit on the number of MAC addresses on the port in userLoginSecureExt mode, port securitys limit takes effect. Tabl e 1 1 de scribes the port security modes and the security features. Table 11 Port security modes Purpose Security mode Features that can be tri ggered Turning off the port security feature noRestrictions (the default mode) In this mode, port security is disabled on the port and access to the port is not restricted. N/A Controlling MAC address learning autoLearn NTK/intrusion protection secure Performing 802.1X authentication userLogin N/A userLoginSecure NTK/intrusion protection userLoginSecureExt userLoginWithOUI Performing MAC authentication macAddressWithRadius NTK/intrusion protection Performing a combination of MAC authentication and 802.1X authentication Or macAddressOrUserLoginSecure NTK/intrusion protection macAddressOrUserLoginSecureExt Else macAddressElseUserLoginSecure macAddressElseUserLoginSecureExt TIP: • userLogin specifies 802.1X authentication and port-based access control. • macAddress specifies MAC authentication. • Else specifies that the authentication method before Else is applied first. If the authentication fails, whether to turn to the authentication method following Else depends on the protocol type of the authentication request. • Typically, in a security mode with Or, the authentication method to be used depends on the protocol type of the authentication request. • userLogin with Secure specifies 802.1X authentication and MAC-based access control. • Ext indicates allowing multiple 802.1X users to be authenticated and serviced at the same time. A security mode without Ext allows only one user to pass 802.1X authentication.
207 Controlling MAC address learning • autoLearn A port in this mode can learn MAC addresses, an d allows frames from learned or configured MAC addresses to pass. The automatically learned MAC addresses are secure MAC addresses. You can also configure secure MAC addresses by using the port-security mac-address security command. A secure MAC address never ages out by default. When the number of secure MAC addresses reaches the upper limit, the port transitions to secure mode. The dynamic MAC address learning function in MAC address management is disabled on ports operating in autoLearn mode, but you ca n configure MAC addresses by using the mac-address dynamic and mac-address static commands. • secure MAC address learning is disabled on a port in secure mode. You configure MAC addresses by using the mac-address static and mac-address dynamic commands. For more information about configuring MAC address table entries, see Layer 2—LAN Switching Configuration Guide . A port in secure mode allows only frames sourced from secure MAC addresses and manually configured MAC addresses to pass. Performing 802.1X authentication • userLogin A port in this mode performs 802.1X authentica tion and implements port-based access control. The port can service multiple 802. 1X users. If one 802.1X user passes authentication, all the other 802.1X users of the port can access the network without authentication. • userLoginSecure A port in this mode performs 802.1X authentica tion and implements MAC-based access control. The port services only one user passing 802.1X authentication. • userLoginSecureExt This mode is similar to the userLoginSecure mode except that this mode supports multiple online 802.1X users. • userLoginWithOUI This mode is similar to the userLoginSecure mode. The difference is that a port in this mode also permits frames from one user whose MAC address contains a specific organizationally unique identifier (OUI). For wired users, the port performs 802.1X auth entication upon receiving 802.1X frames, and performs OUI check upon receiving non-802.1X frames. Performing MAC authentication macAddressWithRadius: A port in this mode performs MAC authentication and services multiple users. Performing a combination of MAC authentication and 802.1X authentication • macAddressOrUserLoginSecure This mode is the combination of the macAddr essWithRadius and userLoginSecure modes. For wired users, the port performs MAC authenti cation upon receiving non-802.1X frames and performs 802.1X authentication upon receiving 802.1X frames. • macAddressOrUserLoginSecureExt
208 This mode is similar to the macAddressOrUserLoginSecure mode exce pt that a port in this mode supports multiple 802.1X and MAC authentication users. • macAddressElseUserLoginSecure This mode is the combination of the macAddres sWithRadius and userLoginSecure modes, with MAC authentication having a higher priority as the Else keyword implies. For non-802.1X frames, a port in this mode perf orms only MAC authentication. For 802.1X frames, it performs MAC authentication and then, if th e authentication fails, 802.1X authentication. • macAddressElseUserLoginSecureExt This mode is similar to the macAddressElseUserLogin Secure mode except that a port in this mode supports multiple 802.1X and MAC auth entication users as the keyword Ext implies. NOTE: An OUI, as defined by the IEEE, is the first 24 bits of the MAC address, which uniquely identifies a device vendor. Working with guest VLAN and Auth-Fail VLAN An 802.1X guest VLAN is the VLAN that a user is in before initiating authentication. An 802.1X Auth-Fail VLAN or a MAC authentication guest VLAN is the VLAN that a user is in after failing authentication. Support for the guest VLAN and Auth-Fail VLAN features varies with security modes. • You can use the 802.1X guest VLAN and 802.1X Auth-F ail VLAN features together with port security modes that support 802.1X authentication. For more information about the 802.1X guest VLAN and Auth-Fail VLAN on a port that performs MAC-based access control, see Configuring 802.1X. • Y ou can use the MAC authentication VLAN feature together with security modes that support MAC authentication. For more information about the MAC authentication guest VLAN, see Configuring MA C authentication . • If you configure both an 802.1X Auth-Fail VL AN and a MAC authentication guest VLAN on a port that performs MAC-based access control, the 802.1X Auth-Fail VLAN has a higher priority. Configuration task list Task Remarks Enabling port security Required. Setting port securitys limit on the number of MAC addresses on a port Optional. Setting the port security mode Required. Configuring port security features Configuring NTK Optional. Configure one or more features as required. Configuring intrusion protection Enabling port security traps Configuring secure MAC addresses Optional. Ignoring authorization information from the server Optional.
209 Enabling port security Enabling or disabling port security resets the following security settings to the default: • 802.1X access control mode is MAC-based, and the port authorization state is auto. • Port security mode is noRestrictions. When port security is enabled, you cannot manually enable 802.1X or MAC authentication, or change the access control mode or port authorization stat e. The port security automatically modifies these settings in different security modes. You cannot disable port security when online users are present. Before enabling port security, disable 802.1X and MAC authentication globally. To enable port security: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable port security. port-security enable By default, the port security is disabled. For more information about 802.1X configuration, see Configuring 802.1X. F or more information about MAC authentication configuration, see Configuring MAC authentication. Setting port securitys limit on the number of MAC addresses on a port You can set the maximum number of MAC addresses that port security allows on a port for the following purposes: • Controlling the number of concurrent users on the port. The maximum number of concurrent users on the port equals this limit or the limit of the au thentication mode (802.1X for example) in use, whichever is smaller. • Controlling the number of secure MAC addresses on the port in autoLearn mode. The port securitys limit on the number of MAC addres ses on a port is independent of the MAC learning limit described in MAC address table configuration in the Layer 2—LAN Switching Configuration Guide . To set the maximum number of secure MAC addresses allowed on a port: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter Layer 2 Ethernet interface view. interface interface-type interface-number N/A 3. Set the limit of port security on the number of MAC addresses. port-security max-mac-count count-value Not limited by default.
210
Setting the port security mode
After enabling port security, you can change the port security mode of a port only when the port is
operating in noRestrictions (the default) mode. To ch ange the port security mode for a port in any other
mode, first use the undo port-security port-mode command to restore the default port security mode.
You can specify a port security mode when port securi ty is disabled, but your configuration cannot take
effect.
You cannot change the port security mode of a port when online users are present.
Configuration prerequisites
Before you set a port security mode for a port, complete the following tasks:
• Disable 802.1X and MAC authentication.
• Verify that the port does not belong to any aggregation group or service loopback group.
• If you are configuring the autoLearn mode, set port security’s limit on the number of MAC addresses.
You cannot change the setting when the port is operating in autoLearn mode.
Configuration procedure
To enable a port security mode:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Set an OUI value for
user authentication. port-security
oui oui-value index
index-value Required for the
userlogin-withoui
mode.
Not configured by default.
To set multiple OUI values, repeat this
step.
3. Enter Layer 2 Ethernet
interface view. interface
interface-type
interface-number N/A
4. Set the port security
mode. port-security
port-mode { autolearn |
mac-authentication |
mac-else-userlogin-secure |
mac-else-userlogin-secure-ext | secure
| userlogin | userlogin-secure |
userlogin-secure-ext |
userlogin-secure-or-mac |
userlogin-secure-or-mac-ext |
userlogin-withoui } By default, a port operates in
noRestrictions mode.
211
Configuring port security features
Configuring NTK
The NTK feature checks the destination MAC addresses in outbound frames to make sure that frames are
forwarded only to authenticated devices. Any unicast frame with an unknown destination MAC address
is discarded. Not all port security modes support triggering the NTK feature. For more information,
see Tabl e 1 1.
T
he NTK feature supports the following modes:
• ntkonly —Forwards only unicast frames with authenticated destination MAC addresses.
• ntk-withbroadcasts —Forwards only broadcast frames and unicast frames with authenticated
destination MAC addresses.
• ntk-withmulticasts —Forwards only broadcast frames, multicast frames, and unicast frames with
authenticated destination MAC addresses.
To configure the NTK feature:
Step Command Remarks
1. Enter system view. system-view N/A
2. Enter Layer 2 Ethernet
interface view. interface
interface-type
interface-number N/A
3.
Configure the NTK feature. port-security ntk-mode
{ ntk-withbroadcasts |
ntk-withmulticasts | ntkonly } By default, NTK is disabled on a
port and all frames are allowed to
be sent.
Configuring intrusion protection
Intrusion protection enables a device to take one of the following actions in response to illegal frames:
•
blockmac —Adds the source MAC addresses of illegal frames to the blocked MAC addresses list
and discards the frames. All subsequent frames sourced from a blocked MAC address will be
dropped. A blocked MAC address is restored to normal state after being blocked for three minutes.
The interval is fixed and cannot be changed.
• disableport —Disables the port until you bring it up manually.
• disableport-temporarily —Disables the port for a specific period of time. The period can be
configured with the port-security timer disableport command.
On a port operating in either the macAddressElseUserLoginSecure mode or the
macAddressElseUserLoginSecureExt mode, intrusion protection is triggered only after both MAC
authentication and 802.1X authentication for the same frame fail.
To configure the intrusion protection feature:
Step Command Remarks
1. Enter system view. system-view N/A
212
Step Command Remarks
2. Enter Layer 2 Ethernet
interface view. interface
interface-type
interface-number N/A
3.
Configure the intrusion
protection feature. port-security intrusion-mode
{ blockmac | disableport |
disableport-temporarily } By default, intrusion protection is
disabled.
4.
Return to system view.
quit N/A
5. Set the silence timeout period
during which a port remains
disabled. port-security timer
disableport
time-value Optional.
20 seconds by default.
Enabling port security traps
You can configure the port security module to se
nd traps for the following categories of events:
• addresslearned —Learning of new MAC addresses.
• dot1xlogfailure/dot1xlogon/dot1xlogoff —802.1X authentication failure, success, and 802.1X
user logoff.
• ralmlogfailure /ralmlogon/ralmlogoff —MAC authentication failure, MAC authentication user
logon, and MAC authentication user logoff.
• intrusion —Detection of illegal frames.
To enable port security traps:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enable port security traps. port-security trap
{ addresslearned
| dot1xlogfailure | dot1xlogoff |
dot1xlogon | intrusion |
ralmlogfailure | ralmlogoff |
ralmlogon } By default, port security traps are
disabled.
Configuring secure MAC addresses
Secure MAC addresses are configured or learned in autoLearn mode and can survive link down/up
events. You can bind a secure MAC address to only one port in a VLAN.
IMPORTANT:
When the maximum number of secure MAC addr
ess entries is reached, the port changes to secure mode,
and no more secure MAC addresses can be added or learned. The port allows only frames sourced from
a secure MAC address or a MAC address configured by using the mac-address dynamic or mac-address
static command to pass through.
Secure MAC addresses fall into static, sticky and dynamic secure MAC addresses.
213 Table 12 A comparison of static, sticky, and dynamic secure MAC addresses Type Address sources Aging mechanism Can be saved and survive a device reboot? Static Manually added Not available. They never age out unless you manually remove them, change the port security mode, or disable the port security feature. Yes. Sticky Manually added or automatically learned when the dynamic secure MAC function (port-security mac-address dynamic ) is disabled. Sticky MAC addresses by default do not age out, but you can configure an aging timer or use the aging timer together with the inactivity aging function to delete old sticky MAC addresses: • If only an aging timer is configured, the aging timer counts up regardless of whether traffic data has been sent from the sticky MAC address. • If both an aging timer and the inactivity aging function are configured, the aging timer restarts once traffic data is detected from the sticky MAC address. Yes. The secure MAC aging timer restarts at a reboot. Dynamic Converted from sticky MAC addresses or automatically learned after the dynamic secure MAC function is enabled. Same as sticky MAC addresses. No. All dynamic secure MAC addresses are lost at reboot. Configuration prerequisites • Enable port security. • Set port security’s limit on the number of MAC addresses on the port. Perform this task before you enable autoLearn mode. • Set the port security mode to autoLearn. Configuration procedure To configure a secure MAC address: Step Command Remarks 1. Enter system view. system-view N/A 2. Set the secure MAC aging timer. port-security timer autolearn aging time-value Optional. By default, secure MAC addresses do note age out, and you can remove t hem o nly b y p erformi ng the undo port-security mac-address security command, changing the port security mode, or disabling the port security feature.
214 Step Command Remarks 3. Configure a secure MAC address. • Approach 1 (in system view): port-security mac-address security [ sticky ] mac-address interface interface-type interface-number vlan vlan-id • Approach 2 (in interface view): a. interface interface-type interface-numbe r b. port-security mac-address security [ sticky ] mac-address vlan vlan-id c. quit Use either approach. No secure MAC address exists by default. 4. Enter Layer 2 Ethernet interface view. interface interface-type interface-number N/A 5. Enable inactivity aging. port-security mac-address aging-type inactivity Optional. By default, the inactivity aging function is disabled. 6. Enable the dynamic secure MAC function. port-security mac-address dynamic Optional. By default, sticky MAC addresses can be saved to the configuration file, and once saved, can survive a device reboot. NOTE: You can display dynamic secure MAC addresses only by using the display port-security mac-address security command. Ignoring authorization information from the server The authorization information is delivered by the RADI US server to the device after an 802.1X user or MAC authenticated user passes RADIUS authentication. You can configure a port to ignore the authorization information from the RADIUS server. To configure a port to ignore the authorization information from the RADIUS server: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter Layer 2 Ethernet interface view. interface interface-type interface-number N/A 3. Ignore the authorization information from the RADIUS server. port-security authorization ignore By default, a port uses the authorization information from the RADIUS server. Displaying and maintaining port security
215
Task Command Remarks
Display port security configuration
information, operation
information, and statistics about
one or more ports or all ports. display port-security
[ interface
interface-list ] [ | { begin | exclude
| include } regular-expression ] Available in any view
Display information about secure
MAC addresses.
display port-security mac-address
security
[ interface interface-type
interface-number ] [ vlan vlan-id ]
[ count ] [ | { begin | exclude |
include } regular-expression ] Available in any view
Display information about blocked
MAC addresses. display port-security mac-address
block [ interface
interface-type
interface-number ] [ vlan vlan-id ]
[ count ] [ | { begin | exclude |
include } regular-expression ] Available in any view
Port security configuration examples
Configuring the autoLearn mode
Network requirements
See
Figure 87 . C onfigure port GigabitEthernet 1/0/1 on the Device, as follows:
• Accept up to 64 users on the port without authentication.
• Permit the port to learn and add MAC addresses as sticky MAC addresses, and set the sticky MAC
aging timer to 30 minutes.
• After the number of secure MAC addresses reaches 64, the port stops learning MAC addresses. If
any frame with an unknown MAC address arrives, intrusion protection starts, and the port shuts
down and stays silent for 30 seconds.
Figure 87 Network diagram
Configuration procedure
# Enable port security.
system-view
[Device] port-security enable
# Set the secure MAC aging timer to 30 minutes.
[Device] port-security timer autolearn aging 30
# Enable intrusion protection traps on port GigabitEthernet 1/0/1.
[Device] port-security trap intrusion
[Device] interface gigabitethernet 1/0/1