Home > HP > Printer > HP 5500 Ei 5500 Si Switch Series Configuration Guide

HP 5500 Ei 5500 Si Switch Series Configuration Guide

Add to Favourites
    Download as PDF Print this page Share this page

    Have a look at the manual HP 5500 Ei 5500 Si Switch Series Configuration Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 1114 HP manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.

    View all the pages
    Page
    of 2513
    Add page 1881 to Favourites
    image text
    Enable zoom 
    							 216 
# Set port security’s limit on the number of MAC addresses to 64 on the port. 
[Device-GigabitEthernet1/0/1] port-security max-mac-count 64 
# Set the port security mode to autoLearn. 
[Device-GigabitEthernet1/0/1] port-security port-mode autolearn 
# Configure the port to be silent for 30 seconds after the intrusion protection feature is triggered.  
[Device-GigabitEthernet1/0/1] port-security intrusion-mode disableport-t\
emporarily 
[Device-GigabitEthernet1/0/1] quit 
[Device] port-security timer disableport 30 
Verifying the configuration 
# Display the port security configuration. 
 display port-security interface gigabitethernet 1/0/1 
 Equipment port-security is enabled 
 Intrusion trap is enabled 
AutoLearn aging time is 30 minutes 
 Disableport Timeout: 30s 
 OUI value: 
 
GigabitEthernet1/0/1 is link-up 
   Port mode is autoLearn 
   NeedToKnow mode is disabled 
   Intrusion Protection mode is DisablePortTemporarily 
   Max MAC address number is 64 
   Stored MAC address number is 0 
   Authorization is permitted 
   Security MAC address learning mode is sticky                         \
         
   Security MAC address aging type is absolute 
 
The output shows that the port securitys limit on the number of secure MAC addresses on the port is 64, 
the port security mode is autoLearn, intrusion protec tion traps are enabled, and the intrusion protection 
action is disabling the port (DisablePortTemporarily) for 30 seconds.  
# Repeatedly perform the  display port-security command to track the number of MAC addresses learned 
by the port, or use the  display this c o m m a n d  i n  L a y e r  2  E t h e r n e t  i n t e r f a c e  v i e w  t o  d i s p l a y  t h e  s e c u r e  M AC  
addresses. 
 system-view 
[Device] interface gigabitethernet 1/0/1 
[Device-GigabitEthernet1/0/1] display this 
# 
interface GigabitEthernet1/0/1 
 port-security max-mac-count 64 
 port-security port-mode autolearn 
 port-security mac-address security sticky 0002-0000-0015 vlan 1 
 port-security mac-address security sticky 0002-0000-0014 vlan 1 
 port-security mac-address security sticky 0002-0000-0013 vlan 1 
 port-security mac-address security sticky 0002-0000-0012 vlan 1 
 port-security mac-address security sticky 0002-0000-0011 vlan 1 
#
    Add page 1882 to Favourites
    image text
    Enable zoom 
    							 217 
Execute the display port-security interface command after the number of MAC addresses learned by the 
port reaches 64, and you can see that the port security mode has changed to secure. When any frame 
with a new MAC address arrives, intrusion protection is triggered and you can see the following trap 
message. 
#Jan 14 10:39:47:135 2011 Device PORTSEC/4/VIOLATION: Trap1.3.6.1.4.1.25\
506.2.26.1. 
3.2: 
 An intrusion occurs! 
 IfIndex: 9437185 
 Port: 9437185 
 MAC Addr: 00:02:00:00:00:32 
 VLAN ID: 1 
 IfAdminStatus: 1 
# Execute the  display interface command, and can see that the  port security feature has disabled 
the port. 
[Device-GigabitEthernet1/0/1] display interface gigabitethernet 1/0/1 
 GigabitEthernet1/0/1 current state: DOWN (  Port Security Disabled  )\
 
 IP Packet Frame Type: PKTFMT_ETHNT_2, Hardware Address: 000f-cb00-5558 \
 Description: GigabitEthernet1/0/1 Interface 
 ...... 
The port should be re-enabled 30 seconds later.  
[Device-GigabitEthernet1/0/1] display interface gigabitethernet 1/0/1 
 GigabitEthernet1/0/1 current state: UP 
 IP Packet Frame Type: PKTFMT_ETHNT_2, Hardware Address: 000f-cb00-5558 \
 Description: GigabitEthernet1/0/1 Interface 
 ...... 
Delete several secure MAC addresses, and you can see that the port security mode of the 
port changes to autoLearn, and the port can learn MAC addresses again.  \
Configuring the userLoginWithOUI mode 
Network requirements 
As shown in  Figure 88, a  client is connected to the Device through port GigabitEthernet 1/0/1. The 
Device authenticates the client with a RADIUS server. If the authentication succeeds, the client is 
authorized to access the Internet. 
•   The RADIUS server at 192.168.1.2 functions as the primary authentication server and the secondary 
accounting server, and the RADIUS server at 192.168.1.3 functions as the secondary authentication 
server and the primary accounting server. The shared key for authentication is name, and that for 
accounting is money. 
•   All users use the default authentication, authoriz ation, and accounting methods of ISP domain sun, 
which can accommodate up to 30 users. 
•   The RADIUS server response timeout time is five seconds and the maximum number of RADIUS 
packet retransmission attempts is five. The Device sends real-time accounting packets to the RADIUS 
server at an interval of 15 minutes, and send s usernames without domain names to the RADIUS 
server. 
Configure port GigabitEthernet 1/0/1  of the Device to: 
•   Allow only one 802.1X user to be authenticated.
    Add page 1883 to Favourites
    image text
    Enable zoom 
    							 218 
•  Allow up to 16 OUI values to be configured and allow one terminal that uses any of the OUI values 
to access the port in addition to an 802.1X user. 
Figure 88  Network diagram 
 
 
Configuration procedure 
Configurations on the host and RADIUS servers are not shown. The following configuration steps cover 
some AAA/RADIUS configuration commands. For more information about the commands, see  Security 
Command Referenced . 
1. Configure the RADIUS protocol: 
# Configure a RADIUS scheme named  radsun. 
 system-view 
[Device] radius scheme radsun 
[Device-radius-radsun] primary authentication 192.168.1.2 
[Device-radius-radsun] primary accounting 192.168.1.3 
[Device-radius-radsun] secondary authentication 192.168.1.3 
[Device-radius-radsun] secondary accounting 192.168.1.2 
[Device-radius-radsun] key authentication name 
[Device-radius-radsun] key accounting money 
[Device-radius-radsun] timer response-timeout 5 
[Device-radius-radsun] retry 5 
[Device-radius-radsun] timer realtime-accounting 15 
[Device-radius-radsun] user-name-format without-domain 
[Device-radius-radsun] quit 
# Configure ISP domain  sun to use RADIUS scheme  radsun for authentication, authorization, and 
accounting of all types of users. Specify that  the ISP domain can contain up to 30 users. 
[Device] domain sun 
[Device-isp-sun] authentication default radius-scheme radsun 
[Device-isp-sun] authorization default radius-scheme radsun 
[Device-isp-sun] accounting default radius-scheme radsun 
[Device-isp-sun] access-limit enable 30 
[Device-isp-sun] quit  
2. Configure 802.1X: 
# Set the 802.1X authentication method to CHAP. (T his configuration is optional. By default, the 
authentication method is CHAP for 802.1X.) 
[Device] dot1x authentication-method chap 
3.  Configure port security: 
# Enable port security.
    Add page 1884 to Favourites
    image text
    Enable zoom 
    							 219 
[Device] port-security enable 
# Add five OUI values.  
[Device] port-security oui 1234-0100-1111 index 1 
[Device] port-security oui 1234-0200-1111 index 2 
[Device] port-security oui 1234-0300-1111 index 3 
[Device] port-security oui 1234-0400-1111 index 4 
[Device] port-security oui 1234-0500-1111 index 5 
[Device] interface gigabitethernet 1/0/1 
# Set the port security mode to userLoginWithOUI. 
[Device-GigabitEthernet1/0/1] port-security port-mode userlogin-withoui \
Verifying the configuration 
# Display the RADIUS scheme radsun. 
 display radius scheme radsun 
SchemeName  : radsun 
  Index : 1                            Type : standard 
  Primary Auth Server: 
    IP: 192.168.1.2                              Port: 1812   State: act\
ive 
    Encryption Key : N/A 
    VPN instance   : N/A 
    Probe username : N/A 
    Probe interval : N/A 
  Primary Acct Server: 
    IP: 192.168.1.3                              Port: 1813   State: act\
ive 
    Encryption Key : N/A 
    VPN instance   : N/A  
  Second Auth Server: 
    IP: 192.168.1.3                              Port: 1812   State: act\
ive 
    Encryption Key : N/A 
    VPN instance   : N/A  
    Probe username : N/A 
    Probe interval : N/A 
  Second Acct Server: 
    IP: 192.168.1.2                              Port: 1813   State: act\
ive 
    Encryption Key : N/A 
    VPN instance   : N/A  
  Auth Server Encryption Key : ****** 
  Acct Server Encryption Key : ****** 
  Accounting-On packet disable, send times : 5 , interval : 3s 
  Interval for timeout(second)                            : 5 
  Retransmission times for timeout                        : 5 
  Interval for realtime accounting(minute)                : 15 
  Retransmission times of realtime-accounting packet      : 5 
  Retransmission times of stop-accounting packet          : 500 
  Quiet-interval(min)                                     : 5 
  Username format                                         : without-doma\
in 
  Data flow unit                                          : Byte 
  Packet unit                                             : one
    Add page 1885 to Favourites
    image text
    Enable zoom 
    							 220 
# Display the configuration of the ISP domain sun. 
 display domain sun 
   Domain : sun 
   State : Active 
   Access-limit : 30 
   Accounting method : Required 
   Default authentication scheme      : radius:radsun 
   Default authorization scheme       : radius:radsun 
   Default accounting scheme          : radius:radsun 
   Domain User Template: 
   Idle-cut : Disabled 
   Self-service : Disabled 
   Authorization attributes: 
# Display the port security configuration. 
 display port-security interface gigabitethernet 1/0/1 
 Equipment port-security is enabled 
 Trap is disabled 
 Disableport Timeout: 20s 
 OUI value: 
   Index is 1,  OUI value is 123401 
   Index is 2,  OUI value is 123402 
   Index is 3,  OUI value is 123403 
   Index is 4,  OUI value is 123404 
   Index is 5,  OUI value is 123405 
 
 GigabitEthernet1/0/1 is link-up 
   Port mode is userLoginWithOUI 
   NeedToKnow mode is disabled 
   Intrusion Protection mode is NoAction 
   Max MAC address number is not configured 
   Stored MAC address number is 0 
   Authorization is permitted 
   Security MAC address learning mode is sticky 
   Security MAC address aging type is absolute   
After an 802.1X user gets online, you can see that the number of secure MAC addresses stored is 1.  
# Display 802.1X information. 
 display dot1x interface gigabitethernet 1/0/1 
 Equipment 802.1X protocol is enabled 
 CHAP authentication is enabled 
 EAD quick deploy is disabled 
 
  Configuration: Transmit Period   30 s,  Handshake Period       15 s 
                  Quiet Period      60 s,  Quiet Period Timer is disable\
d 
                  Supp Timeout      30 s,  Server Timeout        100 s 
                  Reauth Period   3600 s 
                  The maximal retransmitting times    2 
  EAD quick deploy configuration:
    Add page 1886 to Favourites
    image text
    Enable zoom 
    							 221 
                EAD timeout:    30m 
 
 The maximum 802.1X user resource number is 1024 per slot 
 Total current used 802.1X resource number is 1 
 
 GigabitEthernet1/0/1  is link-up 
   802.1X protocol is enabled 
   Handshake is enabled 
   Handshake secure is disabled 
   802.1X unicast-trigger is enabled 
   Periodic reauthentication is disabled 
   The port is an authenticator 
   Authentication Mode is Auto 
   Port Control Type is Mac-based 
   802.1X Multicast-trigger is enabled 
   Mandatory authentication domain: NOT configured 
   Guest VLAN: NOT configured 
   Auth-Fail VLAN: NOT configured 
   Critical VLAN: NOT configured 
   Critical recovery-action: NOT configured   
   Max number of on-line users is 256 
 
   EAPOL Packet: Tx 16331, Rx 102 
   Sent EAP Request/Identity Packets : 16316 
        EAP Request/Challenge Packets: 6 
        EAP Success Packets: 4, Fail Packets: 5 
   Received EAPOL Start Packets : 6 
            EAPOL LogOff Packets: 2 
            EAP Response/Identity Packets : 80 
            EAP Response/Challenge Packets: 6 
            Error Packets: 0 
 1. Authenticated user : MAC address: 0002-0000-0011 
 
   Controlled User(s) amount to 1 
In addition, the port allows an additional user whose MAC address has an OUI among the specified 
OUIs to access the port.  
# Display MAC address information for interface GigabitEthernet 1/0/1. 
 display mac-address interface gigabitethernet 1/0/1 
MAC ADDR        VLAN ID   STATE          PORT INDEX                 AGIN\
G TIME(s) 
1234-0300-0011  1         Learned        GigabitEthernet1/0/1       AGIN\
G 
 
  ---  1 mac address(es) found  ---
    Add page 1887 to Favourites
    image text
    Enable zoom 
    							 222 
Configuring the macAddressElseUserLoginSecure mode 
Network requirements 
As shown in Figure 88, a client is connected to the Device th rough GigabitEthernet 1/0/1. The Device 
authenticates the client by a RADIUS server. If the authentication succeeds, the client is authorized to 
access the Internet. 
Restrict port GigabitEthernet 1/0/1  of the Device: 
•   Allow more than one MAC authenticated user to log on.  
•   For 802.1X users, perform MAC authentication first and then, if MAC authentication fails, 802.1X 
authentication. Allow only one 802.1X user to log on.  
•   Set fixed username and password for MAC authentication. Set the total number of MAC 
authenticated users and 802.1X authenticated users to 64.  
•   Enable NTK to prevent frames from being sent to unknown MAC addresses. 
Configuration procedure 
Configurations on the host and RADIUS servers are not shown. 
1. Configure the RADIUS protocol: 
Configure the RADIUS authentication/account ing and ISP domain settings the same as 
in  Configuring the userLoginWithOUI mode . 
2. Configure port security: 
# Enable port security. 
 system-view 
[Device] port-security enable 
# Configure a MAC authentication user, setti ng the username and password to aaa and 123456 
respectively.  
[Device] mac-authentication user-name-format fixed account aaa password simple 123456 
[Device] interface gigabitethernet 1/0/1 
# Specify ISP domain  sun for MAC authentication. 
[Device] mac-authentication domain sun 
[Device] interface gigabitethernet 1/0/1 
# Set the 802.1X authentication method to CHAP. (T his configuration is optional. By default, the 
authentication method is CHAP for 802.1X.)  
[Device] dot1x authentication-method chap 
# Set port security’s limit on the numb er of MAC addresses to 64 on the port. 
[Device-GigabitEthernet1/0/1] port-security max-mac-count 64 
# Set the port security mode to macAddressElseUserLoginSecure.  
[Device-GigabitEthernet1/0/1] port-security port-mode mac-else-userlogin\
-secure 
# Set the NTK mode of the port to ntkonly. 
[Device-GigabitEthernet1/0/1] port-security ntk-mode ntkonly 
Verifying the configuration 
# Display the port security configuration. 
 display port-security interface gigabitethernet 1/0/1 
 Equipment port-security is enabled 
 Trap is disabled
    Add page 1888 to Favourites
    image text
    Enable zoom 
    							 223 
 Disableport Timeout: 20s 
 OUI value: 
 
 GigabitEthernet1/0/1 is link-up 
   Port mode is macAddressElseUserLoginSecure 
   NeedToKnow mode is NeedToKnowOnly 
   Intrusion Protection mode is NoAction 
   Max MAC address number is 64 
   Stored MAC address number is 0 
   Authorization is permitted 
   Security MAC address learning mode is sticky 
   Security MAC address aging type is absolute   
 
# Display MAC authentication information. 
 display mac-authentication interface gigabitethernet 1/0/1 
MAC address authentication is enabled. 
 User name format is fixed account 
 Fixed username:aaa 
 Fixed password: ****** 
          Offline detect period is 60s 
          Quiet period is 5s 
          Server response timeout value is 100s 
          The max allowed user number is 1024 per slot 
          Current user number amounts to 3 
          Current domain is mac 
 
Silent MAC User info: 
          MAC Addr         From Port                    Port Index 
 
GigabitEthernet1/0/1 is link-up 
  MAC address authentication is enabled 
  Authenticate success: 3, failed: 7 
 Max number of on-line users is 256 
  Current online user number is 3 
    MAC ADDR         Authenticate state           Auth Index 
    1234-0300-0011   MAC_AUTHENTICATOR_SUCCESS     13 
    1234-0300-0012   MAC_AUTHENTICATOR_SUCCESS     14 
    1234-0300-0013   MAC_AUTHENTICATOR_SUCCESS     15 
 
# Display 802.1X authentication information. 
 display dot1x interface gigabitethernet 1/0/1 
 Equipment 802.1X protocol is enabled 
 CHAP authentication is enabled 
 EAD quick deploy is disabled 
 
 Configuration: Transmit Period   30 s,  Handshake Period       15 s 
                Quiet Period      60 s,  Quiet Period Timer is disabled \
                Supp Timeout      30 s,  Server Timeout        100 s
    Add page 1889 to Favourites
    image text
    Enable zoom 
    							 224 
                The maximal retransmitting times    2 
 EAD quick deploy configuration: 
                EAD timeout:    30m 
 
 Total maximum 802.1X user resource number is 1024 per slot 
 Total current used 802.1X resource number is 1 
 
GigabitEthernet1/0/1  is link-up 
   802.1X protocol is enabled 
   Handshake is enabled 
   Handshake secure is disabled 
   802.1X unicast-trigger is enabled 
   Periodic reauthentication is disabled 
   The port is an authenticator 
   Authentication Mode is Auto 
   Port Control Type is Mac-based 
   802.1X Multicast-trigger is enabled 
   Mandatory authentication domain: NOT configured 
   Guest VLAN: NOT configured 
   Auth-Fail VLAN: NOT configured 
   Critical VLAN: NOT configured 
   Critical recovery-action: NOT configured  
   Max number of on-line users is 256 
 
   EAPOL Packet: Tx 16331, Rx 102 
   Sent EAP Request/Identity Packets : 16316 
        EAP Request/Challenge Packets: 6 
        EAP Success Packets: 4, Fail Packets: 5 
   Received EAPOL Start Packets : 6 
            EAPOL LogOff Packets: 2 
            EAP Response/Identity Packets : 80 
            EAP Response/Challenge Packets: 6 
            Error Packets: 0 
 1. Authenticated user : MAC address: 0002-0000-0011 
 
   Controlled User(s) amount to 1 
As NTK is enabled, frames with unknown destination MAC addresses, multicast addresses, and 
broadcast addresses will be discarded. 
Troubleshooting port security 
Cannot set the port security mode 
Symptom 
Cannot set the port security mode. 
[Device-GigabitEthernet1/0/1] port-security port-mode autolearn
    Add page 1890 to Favourites
    image text
    Enable zoom 
    							 225 
  Error:When we change port-mode, we should first change it to noRestrictions, then change 
it to the other. 
Analysis 
For a port operating in a port security mode other than noRestrictions, you cannot change the port 
security mode by using the port-security port-mode command directly.  
Solution 
Set the port security mode to noRestrictions first. 
[Device-GigabitEthernet1/0/1] undo port-security port-mode 
[Device-GigabitEthernet1/0/1] port-security port-mode autolearn 
Cannot configure secure MAC addresses 
Symptom 
Cannot configure secure MAC addresses. 
[Device-GigabitEthernet1/0/1] port-security mac-address security 1-1-2 v\
lan 1 
Error: Security MAC address configuration failed. 
Analysis 
No secure MAC address can be configured on a port operating in a port security mode other than 
autoLearn.  
Solution  
Set the port security mode to autoLearn.  
[Device-GigabitEthernet1/0/1] undo port-security port-mode 
[Device-GigabitEthernet1/0/1] port-security max-mac-count 64 
[Device-GigabitEthernet1/0/1] port-security port-mode autolearn 
[Device-GigabitEthernet1/0/1] port-security mac-address security 1-1-2 v\
lan 1 
Cannot change port security mode when a user is online 
Symptom 
Port security mode cannot be changed when an 80 2.1X authenticated or MAC authenticated user is 
online.  
[DeviceGigabitEthernet1/0/1] undo port-security port-mode 
 Error:Cannot configure port-security for there is 802.1X user(s) on l\
ine on port 
GigabitEthernet1/0/1. 
Analysis 
Changing port security mode is not allowed when  an 802.1X authenticated or MAC authenticated user 
is online.  
Solution 
Use the  cut command to forcibly disconnect the user from  the port before changing the port security 
mode.  
[Device-GigabitEthernet1/0/1] quit 
[Device] cut connection interface gigabitethernet 1/0/1 
[Device] interface gigabitethernet 1/0/1
    All HP manuals Comments (0)

    Related Manuals for HP 5500 Ei 5500 Si Switch Series Configuration Guide