as PDF

advertisement
port security on Huawei switches
If you want How to prevent unauthorized users from connecting their PCs to an enterprise network?
How to prevent employees from connecting unauthorized devices to a LAN or moving their computers
without permission?
Port Security is a Layer 2 feature, which can be enabled on an interface, to prevent devices with
untrusted MAC address, from accessing a switch interface. When enabled, MAC address of the device
connected to the port, is dynamically learned by the switch and stored in a memory (by default it is not
aged out). Only this MAC address is then allowed to forward traffic over switch port (only one trusted
MAC is allowed by default). Every different MAC address will cause the port to go into one of the
following states:
•
•
•
Protect – packets coming from untrusted MAC address will be dropped,
Restrict – packets coming from untrusted MAC address will be dropped and SNMP trap
message will be generated (default behavior),
Shutdown – port will be put into shutdown state.
Let’s configure port security feature on a switch port and see, how it works.
<labnarioSW1>sys
Enter system view, return user view with Ctrl+Z.
[labnarioSW1]interface gi0/0/1
[labnarioSW1-GigabitEthernet0/0/1]port link-type access
[labnarioSW1-GigabitEthernet0/0/1]port-security enable
Generate some traffic from your PC, so that switch could learn PC’s MAC address. As you can see,
my PC’s MAC address of aabb-ccdd-eeff was dynamically learned and assigned to the
GigabitEthernet 0/0/1 port.
[labnarioSW1-GigabitEthernet0/0/1]display mac-address security
MAC address table of slot 0:
------------------------------------------------------------------------------MAC Address
VLAN/
PEVLAN CEVLAN Port
Type
LSP/LSR-ID
VSI/SI
MAC-Tunnel
------------------------------------------------------------------------------aabb-ccdd-eeff 1
GE0/0/1
security ------------------------------------------------------------------------------Total matching items on slot 0 displayed = 1
Let’s see what happens, when different PC with different MAC address will be connected to the same
port.
<labnarioSW1>
Sep 18 2013 12:51:06-08:00 labnarioSW1 L2IFPPI/4/PORTSEC_ACTION_ALARM:OID 1.3.6.1
.4.1.2011.5.25.42.2.1.7.6 The number of MAC address on interface (6/6) GigabitEth
ernet0/0/1 reaches the limit, and the port status is : 1. (1:restrict;2:protect;3
:shutdown)
All the traffic coming from different PC is dropped by the switch. Port GigabitEthernet 0/0/1 has
changed its status to restrict, only MAC address of aabb-ccdd-eeff is allowed to send traffic over this
port. All the other traffic will be dropped and SNMP message will be generated.
If we want our port to go into different state than the default restrict state, we can use the following
options:
[labnarioSW1-GigabitEthernet0/0/1]port-security protect-action ?
protect
Discard packets
restrict
shutdown
Discard packets and warning
shutdown
It is important to note that this secure MAC address, which was learned dynamically by the switch, is
stored in a switch memory and will not be aged out, but in case of the switch reload, it will disappear
from memory. To avoid this, MAC address sticky can be configured. This option instructs our switch
to save this MAC address to the configuration file.
[labnarioSW1-GigabitEthernet0/0/1]port-security mac-address sticky
MAC address sticky has an option to define MAC address manually. This option can be used in case
when PC is not actually connected to the switch port and its MAC address cannot be dynamically
learned:
[labnarioSW1-GigabitEthernet0/0/1]port-security mac-address sticky aaaa-bbbb-cccc vlan 1
[labnarioSW1-GigabitEthernet0/0/1]display mac-address security
MAC address table of slot 0:
------------------------------------------------------------------------------MAC Address
VLAN/
PEVLAN CEVLAN Port
Type
LSP/LSR-ID
VSI/SI
MAC-Tunnel
------------------------------------------------------------------------------aaaa-bbbb-cccc 1
GE0/0/1
sticky
------------------------------------------------------------------------------Total matching items on slot 0 displayed = 1
If we want to define more than one secure MAC address (this is the default behavior), we can use a
command as follows:
[labnarioSW1-GigabitEthernet0/0/1]port-security max-mac-num 2
Now I can add the second secure MAC address:
[labnarioSW1-GigabitEthernet0/0/1]port-security mac-address sticky cccc-bbbb-aaaa vlan 1
[labnarioSW1-GigabitEthernet0/0/1]display mac-address security
MAC address table of slot 0:
------------------------------------------------------------------------------MAC Address
VLAN/
PEVLAN CEVLAN Port
Type
LSP/LSR-ID
VSI/SI
MAC-Tunnel
------------------------------------------------------------------------------aaaa-bbbb-cccc 1
GE0/0/1
sticky
cccc-bbbb-aaaa 1
GE0/0/1
sticky
------------------------------------------------------------------------------Total matching items on slot 0 displayed = 2
The last option of the Port Security feature is aging time. By default every MAC address, learned
dynamically and stored in a switch memory as a secure MAC address, will not be aged out. This
default behavior can be changed and aging time can be set using the following command.
[labnarioSW1-GigabitEthernet0/0/1]port-security aging-time 2
Keep in mind, that this value represents time in minutes.
Download