HP A 5120 Manual

Download as PDF Print this page Share this page

Have a look at the manual HP A 5120 Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 1114 HP manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

View all the pages

Add page 151 to Favourites

image text

Enable zoom

141
 MAC learning control—Includes two modes, autoLearn and secure. MAC address learning is
permitted on a port in autoLearn mode and disabled in secure mode.
 Authentication—Security modes of this category use MAC authentication, 802.1X authentication, or
their combinations to implement authentication.
Upon receiving a frame, the port in a security mode searches the MAC address table for the source MAC
address. If a match is found, the port forwards the frame. If no match is found, the port learns the MAC
address or performs authentication, depending on the security mode. If an illegal frame or event is
detected, the port takes the pre-defined NTK, intrusion protection, or trapping action.
Table 10 describes the port security modes and the security features.
Table 10 Port security modes
On the port, if you want
to… Use the security mode… Features that can
be triggered
Turn off the port security feature
noRestrictions (the default mode)
In this mode, port security is disabled on the port
and access to the port is not restricted.
—
Control MAC address learning autoLearn NTK/intrusion
protection secure
Perform 802.1X authentication
userLogin —
userLoginSecure
NTK/intrusion
protection userLoginSecureExt
userLoginWithOUI
Perform MAC authentication macAddressWithRadius NTK/intrusion
protection
Perform a combination of MAC
authentication and 802.1X
authentication
Or macAddressOrUserLoginSecure
NTK/intrusion
protection
macAddressOrUserLoginSecureExt
Else macAddressElseUserLoginSecure
macAddressElseUserLoginSecureExt
TIP:
These security mode naming rules may help you remember the modes:
 userLogin specifies 802.1X authentication and port-based access control.
 macAddress specifies MAC address authentication.
 Else specifies that the authentication method before Else is applied first. If the authentication fails, whether
to turn to the authentication method following Else depends on the protocol type of the authentication
request.
 In a security mode with Or, the authentication method to be used depends on the protocol type of the
authentication request.
 userLogin with Secure specifies 802.1X authentication and MAC-based access control.
 Ext indicates allowing multiple 802.1X users to be authenticated and serviced at the same time. A security
mode without Ext allows only one user to pass 802.1X authentication.

Control MAC address learning
1. autoLearn

Add page 152 to Favourites

image text

Enable zoom

							 
142 
A  port  in  this  mode  can  learn  MAC  addresses,  and  allows  frames  from  learned  or  configured  MAC 
addresses to  pass.  The  automatically  learned  MAC  addresses  are  secure  MAC  addresses.  You  can  also 
configure  secure  MAC  addresses  by  using  the port-security  mac-address  security command.  A  secure 
MAC address never ages out by default. 
In  addition,  you  can  configure  MAC  addresses  manually  by  using  the mac-address  dynamic and mac-
address static commands for a port in autoLearn mode. 
When the number of secure MAC addresses reaches the upper limit, the port transitions to secure mode. 
On a  port  operating  in  autoLearn  mode,  the  dynamic  MAC  address  learning  function in  MAC  address 
management is disabled. 
2. secure 
MAC address learning is disabled on a port in secure mode. You can configure MAC addresses by using 
the mac-address static and mac-address dynamic commands. 
A port  in  secure  mode  allows  only  frames  sourced  from  secure  MAC  addresses  and  MAC  addresses 
manually configured to pass. 
Perform 802.1X authentication 
1. userLogin 
A port  in  this  mode  performs  802.1X  authentication  and  implements  port-based  access  control. The  port 
can service multiple 802.1X users. If one 802.1X user passes authentication, all the other 802.1X users of 
the port can access the network without authentication. 
2. userLoginSecure 
A port in this mode performs 802.1X authentication and implements MAC-based access control. The port 
services only one user passing 802.1X authentication. 
3. userLoginSecureExt 
This  mode  is  similar  to  the userLoginSecure mode  except  that  this  mode supports  multiple online 802.1X 
users. 
4. userLoginWithOUI 
This  mode  is  similar  to  the userLoginSecure  mode. The difference  is  that  a  port  in  this  mode  also  permits 
frames from one user whose MAC address contains a specified organizationally unique identifier (OUI).  
For  wired  users,  the  port  performs  802.1X  authentication  upon  receiving  802.1X  frames,  and performs 
OUI check upon receiving non-802.1X frames.  
Perform MAC authentication 
macAddressWithRadius: A port in this mode performs MAC authentication and services multiple users.  
Perform a combination of MAC authentication and 802.1X authentication 
1. macAddressOrUserLoginSecure 
This mode is the combination of the macAddressWithRadius and userLoginSecure modes.  
For wired users, the  port  performs MAC  authentication upon  receiving non-802.1X frames and  performs 
802.1X authentication upon receiving 802.1X frames. 
2. macAddressOrUserLoginSecureExt 
This mode is similar to the macAddressOrUserLoginSecure mode except that a port in this mode supports 
multiple 802.1X and MAC authentication users.

Add page 153 to Favourites

image text

Enable zoom

143
3. macAddressElseUserLoginSecure
This mode is the combination of the macAddressWithRadius and userLoginSecure modes, with MAC
authentication having a higher priority as the Else keyword implies.
For non-802.1X frames, a port in this mode performs only MAC authentication. For 802.1X frames, it
performs MAC authentication and then, if the authentication fails, 802.1X authentication.
4. macAddressElseUserLoginSecureExt
This mode is similar to the macAddressElseUserLoginSecure mode except that a port in this mode
supports multiple 802.1X and MAC authentication users as the keyword Ext implies.
NOTE:
 The maximum number of users a port supports equals the maximum number of secure MAC addresses or the
maximum number of authenticated users the security mode supports, whichever is smaller.
 For more information about configuring MAC address table entries, see the Layer 2—LAN Switching Command
Reference.
Support for guest VLAN and Auth-Fail VLAN
An 802.1X guest VLAN is the VLAN that a user is in before initiating authentication. An 802.1X Auth-Fail
VLAN or a MAC authentication guest VLAN is the VLAN that a user is in after failing authentication.
Support for the guest VLAN and Auth-Fail VLAN features varies with security modes.
 You can use the 802.1X guest VLAN and 802.1X Auth-Fail VLAN features together with port security
modes that support 802.1X authentication. For more information about the 802.1X guest VLAN and
Auth-Fail VLAN on a port that performs MAC-based access control, see the chapter ―802.1X
configuration.‖
 You can use the MAC authentication VLAN feature together with security modes that support MAC
authentication. For more information about the MAC authentication guest VLAN, see the chapter
―MAC authentication configuration.‖
NOTE:
If you configure both an 802.1X Auth-Fail VLAN and a MAC authentication guest VLAN on a port that
performs MAC-based access control, the 802.1X Auth-Fail VLAN has a higher priority.
Port security configuration task list
Complete the following tasks to configure port security:
Task Remarks
Enabling port security Required
Setting the maximum number of secure MAC addresses Optional
Setting the port security mode Required
Configuring port security
features
Configuring NTK Optional
Configure one or more
features as required.
Configuring intrusion protection
Configuring port security traps
Configuring secure MAC addresses Optional

Add page 154 to Favourites

image text

Enable zoom

							 
144 
Task Remarks 
Ignoring authorization information from the server Optional 
 
Enabling port security 
Configuration prerequisites 
Disable 802.1X and MAC authentication globally.  
Configuration procedure 
Follow these steps to enable port security: 
To do… Use the command… Remarks 
Enter system view system-view — 
Enable port security port-security enable Required 
Disabled by default. 
 
1. Enabling port security resets the following configurations on a port to the bracketed defaults. Then, 
values of these configurations cannot be changed manually; the system will adjust them based on 
the port security mode automatically: 
 802.1X (disabled), port access control method (macbased), and port authorization mode (auto) 
 MAC authentication (disabled) 
2. Disabling port security resets the following configurations on a port to the bracketed defaults: 
 Port security mode (noRestrictions) 
 802.1X (disabled), port access control method (macbased), and port authorization mode (auto) 
 MAC authentication (disabled) 
3. Port security cannot be disabled when a user is present on a port.  
 NOTE: 
 For more information about 802.1X configuration, see the chapter “802.1X configuration.”  
 For more information about MAC authentication configuration, see the chapter “MAC authentication 
configuration.”  
Setting the maximum number of secure MAC 
addresses 
The  maximum  number  of  users  a  port supports  in  a  port security mode  is  determined  by the  maximum 
number  of  secure  MAC  addresses  or  the  maximum  number  of  authenticated  users that the  security  mode 
supports, whichever is smaller. 
By  setting  the  maximum  number  of  MAC  addresses  allowed  on  a  port,  you  can implement  the  following 
control:

Add page 155 to Favourites

image text

Enable zoom

145
 Control the number of secure MAC addresses that a port can learn for port security.
 Control the maximum number of users who are allowed to access the network through the port.
Follow these steps to set the maximum number of secure MAC addresses allowed on a port:
To do… Use the command… Remarks
Enter system view system-view —
Enter Layer 2 Ethernet interface
view
interface interface-type interface-
number —
Set the maximum number of
secure MAC addresses allowed
on a port
port-security max-mac-count
count-value
Required
Not limited by default

NOTE:
This configuration is independent of the MAC learning limit described in MAC address table
configuration in the Layer 2—LAN Switching Configuration Guide.
Setting the port security mode
Configuration prerequisites
Before you set a port security mode for a port, complete the following tasks:
 Disable 802.1X and MAC authentication.
 Set the port to perform MAC-based access control, and set the port authorization mode to auto.
 Check the port does not belong to any aggregation group.
The requirements above must be all met. Otherwise, an error message appears when you set a security
mode on the port. On the other hand, after setting a port security mode on a port, you cannot change
any of the configurations above.
 Before you configure the port to operate in autoLearn mode, set the maximum number of secure
MAC addresses allowed on a port.
NOTE:
 With port security disabled, you can configure a port security mode, but your configuration does not take effect.
 You cannot change the port security mode of a port with users online.
Configuration procedure
Follow these steps to enable any other port security mode:
To do… Use the command… Remarks
Enter system view system-view —
Set an OUI value for user
authentication
port-security oui oui-value index
index-value
Optional
Not configured by default.
The command is required for the
userlogin-withoui mode.

Add page 156 to Favourites

image text

Enable zoom

146
To do… Use the command… Remarks
Enter Layer 2 Ethernet
interface view
interface interface-type interface-
number —
Set the port security mode
port-security port-mode { autolearn |
mac-authentication | mac-else-
userlogin-secure | mac-else-
userlogin-secure-ext | secure |
userlogin | userlogin-secure |
userlogin-secure-ext | userlogin-
secure-or-mac | userlogin-secure-or-
mac-ext | userlogin-withoui }
Required
By default, a port operates in
noRestrictions mode.

NOTE:
 When a port operates in autoLearn mode, the maximum number of secure MAC addresses cannot be changed.
 An OUI, as defined by the IEEE, is the first 24 bits of the MAC address, which uniquely identifies a device
vendor.
 You can configure multiple OUI values. However, a port in userLoginWithOUI mode allows only one 802.1X user
and one user whose MAC address contains a specified OUI to pass authentication at the same time.
 After enabling port security, you can change the port security mode of a port only when the port is operating in
noRestrictions mode, the default mode. To change the port security mode for a port in any other mode, use the
undo port-security port-mode command to restore the default port security mode first.
Configuring port security features
Configuring NTK
The NTK feature checks the destination MAC addresses in outbound frames to make sure that frames are
forwarded only to authenticated devices. Any unicast frame with an unknown destination MAC address is
discarded.
The NTK feature supports the following modes:
 ntkonly—Forwards only unicast frames with authenticated destination MAC addresses.
 ntk-withbroadcasts—Forwards only broadcast frames and unicast frames with authenticated
destination MAC addresses.
 ntk-withmulticasts—Forwards only broadcast frames, multicast frames, and unicast frames with
authenticated destination MAC addresses.
Follow these steps to configure the NTK feature:
To do… Use the command… Remarks
Enter system view system-view —
Enter Layer 2 Ethernet interface
view
interface interface-type interface-
number —

Add page 157 to Favourites

image text

Enable zoom

147
To do… Use the command… Remarks
Configure the NTK feature
port-security ntk-mode { ntk-
withbroadcasts | ntk-
withmulticasts | ntkonly }
Required
By default, NTK is disabled on a
port and all frames are allowed to
be sent.

NOTE:
Support for the NTK feature depends on the port security mode.
Configuring intrusion protection
Intrusion protection enables a device to take one of the following actions in response to illegal frames:
 blockmac—Adds the source MAC addresses of illegal frames to the blocked MAC addresses list
and discards the frames. All subsequent frames sourced from a blocked MAC address will be
dropped. A blocked MAC address is restored to normal state after being blocked for three minutes.
The interval is fixed and cannot be changed.
 disableport—Disables the port until you bring it up manually.
 disableport-temporarily—Disables the port for a specified period of time. The period can be
configured with the port-security timer disableport command.
Follow these steps to configure the intrusion protection feature:
To do… Use the command… Remarks
Enter system view system-view —
Enter Layer 2 Ethernet interface
view
interface interface-type interface-
number —
Configure the intrusion protection
feature
port-security intrusion-mode {
blockmac | disableport |
disableport-temporarily }
Required
By default, intrusion protection is
disabled.
Return to system view quit —
Set the silence timeout period
during which a port remains
disabled
port-security timer disableport
time-value
Optional
20 seconds by default

NOTE:
On a port operating in either the macAddressElseUserLoginSecure mode or the
macAddressElseUserLoginSecureExt mode, intrusion protection is triggered only after both MAC
authentication and 802.1X authentication for the same frame fail.
Configuring port security traps
You can configure the port security module to send traps for the following categories of events:
 addresslearned—Learning of new MAC addresses.
 dot1xlogfailure/dot1xlogon/dot1xlogoff—802.1X authentication failure/successful 802.1X
authentication/802.1X user logoff.

Add page 158 to Favourites

image text

Enable zoom

148
 ralmlogfailure/ralmlogon/ralmlogoff—MAC authentication failure/MAC authentication user
logon/MAC authentication user logoff.
 intrusion—Detection of illegal frames.
Follow these steps to enable port security traps:
To do… Use the command… Remarks
Enter system view system-view —
Enable port security traps
port-security trap {
addresslearned | dot1xlogfailure
| dot1xlogoff | dot1xlogon |
intrusion | ralmlogfailure |
ralmlogoff | ralmlogon }
Required
By default, port security traps are
disabled.

Configuring secure MAC addresses
Secure MAC addresses are MAC addresses configured or learned in autoLearn mode. They can survive
link down/up events, and once saved, can survive a device reboot. You can bind a MAC address to only
one port in a VLAN.
Secure MAC addresses fall into static secure MAC addresses and sticky MAC addresses.
Static secure MAC addresses are manually configured at the command line or in the MIB in autoLearn
mode. No aging mechanism is available for this type of MAC address. They never age out unless you
manually remove them, change the port security mode, or disable the port security feature.
Sticky MAC addresses include dynamic secure MAC addresses manually configured, at the command
line interface or in the MIB, and dynamic secure MAC addresses learned by a port in autoLearn mode.
These MAC addresses are sticky because unlike normal dynamic MAC addresses, they can survive link
down/up events, and once saved, can survive a device reboot.
By default, sticky MAC addresses do not age out. You can use the port-security timer autolearn aging
command to set an aging timer for sticky MAC addresses. When the timer expires, the sticky MAC
addresses are removed. This aging mechanism prevents the unauthorized use of a sticky MAC address
when the authorized user is offline, and removes outdated secure MAC addresses so new secure MAC
addresses can be learned.
When the maximum number of secure MAC address entries is reached, the port changes to secure mode,
and no more secure MAC addresses can be added or learned. The port allows only frames sourced from
a secure MAC address or a MAC address configured with the mac-address dynamic or mac-address
static command to pass through.
Configuration prerequisites
 Enable port security.
 Set port security’s limit on the number of MAC addresses on the port. Perform this task before you
enable autoLearn mode.
 Set the port security mode to autoLearn.
Configuration procedure
Follow these steps to configure a secure MAC address:

Add page 159 to Favourites

image text

Enable zoom

							 
149 
To do… Use the command… Remarks 
Enter system view system-view — 
Set the sticky MAC aging timer port-security timer autolearn aging time-
value 
Optional 
By default, sticky MAC 
addresses do not age out, 
and you can remove them 
only by performing the 
undo port-security mac-
address security 
command, changing the 
port security mode, or 
disabling the port security 
feature. 
Configure a 
secure MAC 
address 
In system view 
port-security mac-address security [ sticky ] 
mac-address interface interface-type 
interface-number vlan vlan-id Required 
Use either approach 
No secure MAC address 
is configured by default. 
In Layer 2 
Ethernet 
interface view 
interface interface-type interface-number 
port-security mac-address security [ sticky ] 
mac-address vlan vlan-id 
 
Ignoring authorization information from the server 
The  authorization  information is  delivered  by  the  RADIUS  server to  the  device after an  802.1X user  or 
MAC  authenticated  user  passes  RADIUS  authentication.  You  can  configure  a  port  to  ignore  the 
authorization information from the RADIUS server.  
Follow these steps to configure a port to ignore the authorization information from the RADIUS server: 
To do… Use the command… Remarks 
Enter system view system-view — 
Enter Layer 2 Ethernet interface 
view 
interface interface-type interface-
number — 
Ignore the authorization 
information from the RADIUS 
server 
port-security authorization ignore 
Required 
By default, a port uses the 
authorization information from the 
RADIUS server. 
 
Displaying and maintaining port security 
To do… Use the command… Remarks 
Display port security configuration 
information, operation 
information, and statistics about 
one or more ports or all ports 
display port-security [ interface 
interface-list ] [ | { begin | 
exclude | include } regular-
expression ]  
Available in any view

Add page 160 to Favourites

image text

Enable zoom

							 
150 
To do… Use the command… Remarks 
Display information about secure 
MAC addresses 
display port-security mac-address 
security [ interface interface-type 
interface-number ] [ vlan vlan-id ] 
[ count ] [ | { begin | exclude | 
include } regular-expression ]  
Available in any view 
Display information about 
blocked MAC addresses 
display port-security mac-address 
block [ interface interface-type 
interface-number ] [ vlan vlan-id ] 
[ count ] [ | { begin | exclude | 
include } regular-expression ] 
Available in any view 
 
Port security configuration examples 
Configuring the autoLearn mode 
Network requirements 
Configure port GigabitEthernet 1/0/1 on the switch: 
 Allow up to 64 users on the port without authentication. 
 Permit the port to learn and add the MAC addresses as sticky MAC address, and set the sticky MAC 
aging timer to 30 minutes.  
 After  the  number  of  secure  MAC  addresses  reaches  64,  the  port  stops  learning  MAC  addresses.  If 
any  frame  with  an  unknown  MAC  address  arrives,  intrusion  protection  is  triggered  and  the  port  is 
disabled and stays silent for 30 seconds.  
Figure 47 Network diagram for configuring the autoLearn mode 
 
 
Configuration procedure 
1. Configure port security. 
# Enable port security.  
 system-view 
[Switch] port-security enable 
# Set the sticky MAC aging timer to 30 minutes. 
[Switch] port-security timer autolearn aging 30 
# Enable port security traps for intrusion protection.  
[Switch] port-security trap intrusion 
[Switch] interface gigabitethernet 1/0/1 
# Set the maximum number of secure MAC addresses allowed on the port to 64. 
[Switch-GigabitEthernet1/0/1] port-security max-mac-count 64 
# Set the port security mode to autoLearn.  Internet
SwitchHost 
GE1/0/1192.168.1.1/24

All HP manuals Comments (0)