HP A 5120 Manual

Download as PDF Print this page Share this page

Have a look at the manual HP A 5120 Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 1114 HP manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

View all the pages

Add page 161 to Favourites

image text

Enable zoom

							 
151 
[Switch-GigabitEthernet1/0/1] port-security port-mode autolearn 
# Configure the port to be silent for 30 seconds after the intrusion protection feature is triggered.  
[Switch-GigabitEthernet1/0/1] port-security intrusion-mode disableport-temporarily 
[Switch-GigabitEthernet1/0/1] quit 
[Switch] port-security timer disableport 30 
2. Verify the configuration. 
After  completing  the  configurations,  use  the  following  command  to  view  the  port  security  configuration 
information: 
 display port-security interface gigabitethernet 1/0/1 
 Equipment port-security is enabled 
 Intrusion trap is enabled 
 AutoLearn aging time is 30 minutes 
 Disableport Timeout: 30s 
 OUI value: 
 
GigabitEthernet1/0/1 is link-up 
   Port mode is autoLearn 
   NeedToKnow mode is disabled 
   Intrusion Protection mode is DisablePortTemporarily 
   Max MAC address number is 64 
   Stored MAC address number is 0 
   Authorization is permitted 
As  shown  in  the  output,  the  maximum  number  of  secure  MAC  addresses  allowed  on  the  port  is  64,  the 
port  security  mode  is  autoLearn,  the port security traps  for intrusion  protection  is  enabled,  and  the 
intrusion protection action is to disable the port (DisablePortTemporarily) for 30 seconds.  
You  can  also  use  the  command above repeatedly  to  track  the  number  of  MAC  addresses  learned  by  the 
port, or use the display this command in interface view to display the secure MAC addresses learned: 
 system-view 
[Switch] interface gigabitethernet 1/0/1 
[Switch-GigabitEthernet1/0/1] display this 
# 
interface GigabitEthernet1/0/1 
 port-security max-mac-count 64 
 port-security port-mode autolearn 
 port-security mac-address security sticky 0002-0000-0015 vlan 1 
 port-security mac-address security sticky 0002-0000-0014 vlan 1 
 port-security mac-address security sticky 0002-0000-0013 vlan 1 
 port-security mac-address security sticky 0002-0000-0012 vlan 1 
 port-security mac-address security sticky 0002-0000-0011 vlan 1 
# 
Issuing  the display  port-security  interface command  after  the  number  of  MAC  addresses  learned  by  the 
port reaches 64, you will see that the port security mode has changed to secure. When any frame with a 
new MAC address arrives, intrusion protection is triggered and you will see traps: 
#Jan 14 10:39:47:135 2011 Switch PORTSEC/4/VIOLATION:TraphpSecureViolation 
 An intrusion occurs! 
 IfIndex: 9437185

Add page 162 to Favourites

image text

Enable zoom

152
Port: 9437185
MAC Addr: 00:02:00:00:00:32
VLAN ID: 1
IfAdminStatus: 1
In addition, you will see that the port security feature has disabled the port if you issue the following
command:
[Switch-GigabitEthernet1/0/1] display interface gigabitethernet 1/0/1
GigabitEthernet1/0/1 current state: Port Security Disabled
IP Packet Frame Type: PKTFMT_ETHNT_2, Hardware Address: 000f-cb00-5558
Description: GigabitEthernet1/0/1 Interface
......
The port should be re-enabled 30 seconds later.
[Switch-GigabitEthernet1/0/1] display interface gigabitethernet 1/0/1
GigabitEthernet1/0/1 current state: UP
IP Packet Frame Type: PKTFMT_ETHNT_2, Hardware Address: 000f-cb00-5558
Description: GigabitEthernet1/0/1 Interface
......
If you manually delete several secure MAC addresses, the port security mode of the port will be restored
to autoLearn, and the port will be able to learn MAC addresses again.
Configuring the userLoginWithOUI mode
Network requirements
As shown in Figure 48, a client is connected to the switch through port GigabitEthernet 1/0/1. The switch
authenticates the client with a RADIUS server. If the authentication succeeds, the client is authorized to
access the Internet.
 The RADIUS server at 192.168.1.2 functions as the primary authentication server and the secondary
accounting server, and the RADIUS server at 192.168.1.3 functions as the secondary authentication
server and the primary accounting server. The shared key for authentication is name, and that for
accounting is money.
 All users use the default authentication, authorization, and accounting methods of ISP domain sun,
which can accommodate up to 30 users.
 The RADIUS server response timeout time is five seconds and the maximum number of RADIUS
packet retransmission attempts is five. The switch sends real-time accounting packets to the RADIUS
server at an interval of 15 minutes, and sends usernames without domain names to the RADIUS
server.
Configure port GigabitEthernet 1/0/1 of the switch to:
 Allow only one 802.1X user to be authenticated.
 Allow up to 16 OUI values to be configured and allow one terminal that uses any of the OUI values
to access the port in addition to an 802.1X user.

Add page 163 to Favourites

image text

Enable zoom

							 
153 
Figure 48 Network diagram for configuring the userLoginWithOUI mode 
 
 
Configuration procedure 
 
 NOTE: 
 The following configuration steps cover some AAA/RADIUS configuration commands. For details about the 
commands, see the chapter “AAA configuration commands.”  
 Configurations on the host and RADIUS servers are not shown.  
1. Configure the RADIUS protocol. 
# Configure a RADIUS scheme named radsun. 
 system-view 
[Switch] radius scheme radsun 
[Switch-radius-radsun] primary authentication 192.168.1.2 
[Switch-radius-radsun] primary accounting 192.168.1.3 
[Switch-radius-radsun] secondary authentication 192.168.1.3 
[Switch-radius-radsun] secondary accounting 192.168.1.2 
[Switch-radius-radsun] key authentication name 
[Switch-radius-radsun] key accounting money 
[Switch-radius-radsun] timer response-timeout 5 
[Switch-radius-radsun] retry 5 
[Switch-radius-radsun] timer realtime-accounting 15 
[Switch-radius-radsun] user-name-format without-domain 
[Switch-radius-radsun] quit 
# Configure ISP  domain sun to  use  RADIUS  scheme radsun for authentication,  authorization,  and 
accounting of all types of users. Specify that the ISP domain can contain up to 30 users. 
[Switch] domain sun 
[Switch-isp-sun] authentication default radius-scheme radsun 
[Switch-isp-sun] authorization default radius-scheme radsun 
[Switch-isp-sun] accounting default radius-scheme radsun 
[Switch-isp-sun] access-limit enable 30 
[Switch-isp-sun] quit  
2. Configure 802.1X. 
# Set  the  802.1X  authentication  method  to CHAP.  (This  configuration  is  optional. By  default,  the 
authentication method is CHAP for 802.1X.) 
[Switch] dot1x authentication-method chap 
3. Configure port security.  Internet
SwitchHost 
GE1/0/1192.168.1.1/24
Authentication servers(192.168.1.2/24192.168.1.3/24)

Add page 164 to Favourites

image text

Enable zoom

							 
154 
# Enable port security. 
[Switch] port-security enable 
# Add five OUI values.  
[Switch] port-security oui 1234-0100-1111 index 1 
[Switch] port-security oui 1234-0200-1111 index 2 
[Switch] port-security oui 1234-0300-1111 index 3 
[Switch] port-security oui 1234-0400-1111 index 4 
[Switch] port-security oui 1234-0500-1111 index 5 
[Switch] interface gigabitethernet 1/0/1 
# Set the port security mode to userLoginWithOUI. 
[Switch-GigabitEthernet1/0/1] port-security port-mode userlogin-withoui 
4. Verify the configuration. 
After  completing  the  configurations,  you  can  use  the  following  command  to  view  the  configuration 
information of the RADIUS scheme named radsun: 
 display radius scheme radsun 
SchemeName  : radsun 
  Index : 1                            Type : standard 
  Primary Auth Server: 
    IP: 192.168.1.2                              Port: 1812   State: active 
    Encryption Key : N/A 
  Primary Acct Server: 
    IP: 192.168.1.3                              Port: 1813   State: active 
    Encryption Key : N/A 
  Second Auth Server: 
    IP: 192.168.1.3                              Port: 1812   State: active 
    Encryption Key : N/A 
  Second Acct Server: 
    IP: 192.168.1.2                              Port: 1813   State: active 
    Encryption Key : N/A 
  Auth Server Encryption Key : name 
  Acct Server Encryption Key : money 
  Accounting-On packet disable, send times : 5 , interval : 3s 
  Interval for timeout(second)                            : 5 
  Retransmission times for timeout                        : 5 
  Interval for realtime accounting(minute)                : 15 
  Retransmission times of realtime-accounting packet      : 5 
  Retransmission times of stop-accounting packet          : 500 
  Quiet-interval(min)                                     : 5 
  Username format                                         : without-domain 
  Data flow unit                                          : Byte 
  Packet unit                                             : one 
Use the following command to view the configuration information of the ISP domain named sun: 
 display domain sun 
   Domain : sun 
   State : Active 
   Access-limit : 30

Add page 165 to Favourites

image text

Enable zoom

							 
155 
   Accounting method : Required 
   Default authentication scheme      : radius:radsun 
   Default authorization scheme       : radius:radsun 
   Default accounting scheme          : radius:radsun 
   Domain User Template: 
   Idle-cut : Disabled 
   Self-service : Disabled 
   Authorization attributes: 
Use the following command to view the port security configuration information: 
 display port-security interface gigabitethernet 1/0/1 
 Equipment port-security is enabled 
 Trap is disabled 
 Disableport Timeout: 20s 
 OUI value: 
   Index is 1,  OUI value is 123401 
   Index is 2,  OUI value is 123402 
   Index is 3,  OUI value is 123403 
   Index is 4,  OUI value is 123404 
   Index is 5,  OUI value is 123405 
 
 GigabitEthernet1/0/1 is link-up 
   Port mode is userLoginWithOUI 
   NeedToKnow mode is disabled 
   Intrusion Protection mode is NoAction 
   Max MAC address number is not configured 
   Stored MAC address number is 0 
   Authorization is permitted 
After an 802.1X user gets online, you can see that the number of secure MAC addresses stored is 1. You 
can also use the following command to view information about 802.1X: 
 display dot1x interface gigabitethernet 1/0/1 
 Equipment 802.1X protocol is enabled 
 CHAP authentication is enabled 
 EAD quick deploy is disabled 
 
  Configuration: Transmit Period   30 s,  Handshake Period       15 s 
                  Quiet Period      60 s,  Quiet Period Timer is disabled 
                  Supp Timeout      30 s,  Server Timeout        100 s 
                  Reauth Period   3600 s 
                  The maximal retransmitting times    2 
  EAD quick deploy configuration: 
                EAD timeout:    30m 
 
 The maximum 802.1X user resource number is 1024 per slot 
 Total current used 802.1X resource number is 1 
 
 GigabitEthernet1/0/1  is link-up 
   802.1X protocol is enabled

Add page 166 to Favourites

image text

Enable zoom

							 
156 
   Handshake is enabled 
   Handshake secure is disabled 
   802.1X unicast-trigger is enabled 
   Periodic reauthentication is disabled 
   The port is an authenticator 
   Authentication Mode is Auto 
   Port Control Type is Mac-based 
   802.1X Multicast-trigger is enabled 
   Mandatory authentication domain: NOT configured 
   Guest VLAN: NOT configured 
   Auth-Fail VLAN: NOT configured 
   Max number of on-line users is 256 
 
   EAPOL Packet: Tx 16331, Rx 102 
   Sent EAP Request/Identity Packets : 16316 
        EAP Request/Challenge Packets: 6 
        EAP Success Packets: 4, Fail Packets: 5 
   Received EAPOL Start Packets : 6 
            EAPOL LogOff Packets: 2 
            EAP Response/Identity Packets : 80 
            EAP Response/Challenge Packets: 6 
            Error Packets: 0 
 1. Authenticated user : MAC address: 0002-0000-0011 
 
   Controlled User(s) amount to 1 
In  addition,  the  port  allows  an  additional  user  whose  MAC  address  has  an  OUI  among  the  specified 
OUIs to access the port. You can use the following command to view the related information: 
 display mac-address interface gigabitethernet 1/0/1 
MAC ADDR        VLAN ID   STATE          PORT INDEX               AGING TIME(s) 
1234-0300-0011  1         Learned        GigabitEthernet1/0/1       AGING 
 
  ---  1 mac address(es) found  --- 
Configuring the macAddressElseUserLoginSecure mode 
Network requirements 
As  shown  in Figure  48, a client  is  connected  to  the  switch  through  GigabitEthernet  1/0/1.  The  switch 
authenticates  the  client  by a RADIUS  server.  If  the  authentication  succeeds,  the  client  is  authorized  to 
access the Internet. 
Restrict port GigabitEthernet 1/0/1 of the switch: 
 Allow more than one MAC authenticated user to log on.  
 For  802.1X users,  perform  MAC  authentication  first  and  then,  if  MAC  authentication  fails,  802.1X 
authentication. Allow only one 802.1X user to log on.  
 Set  fixed  username  and  password  for MAC  authentication.  Set  the  total  number  of  MAC 
authenticated users and 802.1X authenticated users to 64.  
 Enable NTK to prevent frames from being sent to unknown MAC addresses.

Add page 167 to Favourites

image text

Enable zoom

157
Configuration procedure

NOTE:
Configurations on the host and RADIUS servers are not shown.
1. Configure the RADIUS protocol.
The required RADIUS authentication/accounting configurations and ISP domain configurations are the
same as those in Configuring the userLoginWithOUI mode.
2. Configure port security.
# Enable port security.
system-view
[Switch] port-security enable
# Configure a MAC authentication user, setting the username and password to aaa and 123456
respectively.
[Switch] mac-authentication user-name-format fixed account aaa password simple 123456
# Specify ISP domain sun for MAC authentication.
[Switch] mac-authentication domain sun
# Set the 802.1X authentication method to CHAP. (This configuration is optional. By default, the
authentication method is CHAP for 802.1X.)
[Switch] dot1x authentication-method chap
# Set the maximum number of secure MAC addresses allowed on the port to 64.
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] port-security max-mac-count 64
# Set the port security mode to macAddressElseUserLoginSecure.
[Switch-GigabitEthernet1/0/1] port-security port-mode mac-else-userlogin-secure
# Set the NTK mode of the port to ntkonly.
[Switch-GigabitEthernet1/0/1] port-security ntk-mode ntkonly
3. Verify the configuration.
After completing the configurations, you can use the following command to view the port security
configuration information:
display port-security interface gigabitethernet 1/0/1
Equipment port-security is enabled
Trap is disabled
AutoLearn aging time is 30 minutes
Disableport Timeout: 20s
OUI value:

GigabitEthernet1/0/1 is link-up
Port mode is macAddressElseUserLoginSecure
NeedToKnow mode is NeedToKnowOnly
Intrusion Protection mode is NoAction
Max MAC address number is 64
Stored MAC address number is 0
Authorization is permitted

Add page 168 to Favourites

image text

Enable zoom

							 
158 
 
Use the following command to view MAC authentication information: 
 display mac-authentication interface gigabitethernet 1/0/1 
MAC address authentication is enabled. 
 User name format is fixed account 
 Fixed username:aaa 
 Fixed password:123456 
          Offline detect period is 60s 
          Quiet period is 5s 
          Server response timeout value is 100s 
          The max allowed user number is 1024 per slot 
          Current user number amounts to 3 
          Current domain is mac 
 
Silent MAC User info: 
          MAC Addr         From Port                    Port Index 
 
GigabitEthernet1/0/1 is link-up 
  MAC address authentication is enabled 
  Authenticate success: 3, failed: 7 
 Max number of on-line users is 256 
  Current online user number is 3 
    MAC ADDR         Authenticate state           Auth Index 
    1234-0300-0011   MAC_AUTHENTICATOR_SUCCESS     13 
    1234-0300-0012   MAC_AUTHENTICATOR_SUCCESS     14 
    1234-0300-0013   MAC_AUTHENTICATOR_SUCCESS     15 
 
Use the following command to view 802.1X authentication information: 
 display dot1x interface gigabitethernet 1/0/1 
 Equipment 802.1X protocol is enabled 
 CHAP authentication is enabled 
 EAD quick deploy is disabled 
 
 Configuration: Transmit Period   30 s,  Handshake Period       15 s 
                Quiet Period      60 s,  Quiet Period Timer is disabled 
                Supp Timeout      30 s,  Server Timeout        100 s 
                The maximal retransmitting times    2 
 EAD quick deploy configuration: 
                EAD timeout:    30m 
 
 Total maximum 802.1X user resource number is 1024 per slot 
 Total current used 802.1X resource number is 1 
 
GigabitEthernet1/0/1  is link-up 
   802.1X protocol is enabled 
   Handshake is enabled 
   Handshake secure is disabled

Add page 169 to Favourites

image text

Enable zoom

							 
159 
   802.1X unicast-trigger is enabled 
   Periodic reauthentication is disabled 
   The port is an authenticator 
   Authentication Mode is Auto 
   Port Control Type is Mac-based 
   802.1X Multicast-trigger is enabled 
   Mandatory authentication domain: NOT configured 
   Guest VLAN: NOT configured 
   Auth-Fail VLAN: NOT configured 
   Max number of on-line users is 256 
 
   EAPOL Packet: Tx 16331, Rx 102 
   Sent EAP Request/Identity Packets : 16316 
        EAP Request/Challenge Packets: 6 
        EAP Success Packets: 4, Fail Packets: 5 
   Received EAPOL Start Packets : 6 
            EAPOL LogOff Packets: 2 
            EAP Response/Identity Packets : 80 
            EAP Response/Challenge Packets: 6 
            Error Packets: 0 
 1. Authenticated user : MAC address: 0002-0000-0011 
 
   Controlled User(s) amount to 1 
In  addition, as NTK  is  enabled,  frames  with  unknown  destination  MAC  addresses,  multicast  addresses, 
and broadcast addresses should be discarded. 
Troubleshooting port security 
Cannot set the port security mode 
Symptom 
Cannot set the port security mode. 
[Switch-GigabitEthernet1/0/1] port-security port-mode autolearn 
 Error:When we change port-mode, we should first change it to noRestrictions, then change 
it to the other. 
Analysis 
For  a  port operating in  a  port  security  mode  other  than  noRestrictions,  you  cannot  change  the  port 
security mode by using the port-security port-mode command directly.  
Solution 
Set the port security mode to noRestrictions first. 
[Switch-GigabitEthernet1/0/1] undo port-security port-mode 
[Switch-GigabitEthernet1/0/1] port-security port-mode autolearn

Add page 170 to Favourites

image text

Enable zoom

160
Cannot configure secure MAC addresses
Symptom
Cannot configure secure MAC addresses.
[Switch-GigabitEthernet1/0/1] port-security mac-address security 1-1-2 vlan 1
Error: Security MAC address configuration failed.
Analysis
No secure MAC address can be configured on a port operating in a port security mode other than
autoLearn.
Solution
Set the port security mode to autoLearn.
[Switch-GigabitEthernet1/0/1] undo port-security port-mode
[Switch-GigabitEthernet1/0/1] port-security max-mac-count 64
[Switch-GigabitEthernet1/0/1] port-security port-mode autolearn
[Switch-GigabitEthernet1/0/1] port-security mac-address security 1-1-2 vlan 1
Cannot change port security mode when a user is online
Symptom
Port security mode cannot be changed when an 802.1X authenticated or MAC authenticated user is
online.
[Switch-GigabitEthernet1/0/1] undo port-security port-mode
Error:Cannot configure port-security for there is 802.1X user(s) on line on port
GigabitEthernet1/0/1.
Analysis
Changing port security mode is not allowed when an 802.1X authenticated or MAC authenticated user is
online.
Solution
Use the cut command to forcibly disconnect the user from the port before changing the port security
mode.
[Switch-GigabitEthernet1/0/1] quit
[Switch] cut connection interface gigabitethernet 1/0/1
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] undo port-security port-mode

All HP manuals Comments (0)