Comware

Hello,

 

I am trying to get my HP 5120 and 5500 switches setup to run port-security similar to how my Cisco switches do it. Essentialy I have a port with a data and voice VLAN, and I want to limit the max number of MAC addresses on the port to 2 (phone and PC). Any addresses over 2 should not be allowed on the network. The port should remain operational for the first 2 MACs. If the port goes down the MAC addresses learned on the port should reset (not be sticky)

 

Here is what I have put together based on the reading I have done, but curious if someone out there has a similar configuration working. What I am not getting is the clearing of the learned mac addresses once a host disconnects.

 

port-security enable

#

interface GigabitEthernet1/0/4
port link-type hybrid
undo port hybrid vlan 1
port hybrid vlan 18 tagged
speed auto 10 100
port hybrid vlan 17 untagged
port hybrid pvid vlan 17
undo voice vlan mode auto
voice vlan 18 enable

port-security max-mac-count 2

port-security port-mode autoLearn

port-security mac-address dynamic

port-security intrusion-mode blockmac
poe enable
stp edged-port enable
qos trust dscp

 

There is also a precaution listed in the documentation...

 Before enabling port security, be sure to disable 802.1x and MAC authentication globally

 

Is this something that is disabled by default or do I need to specify this in the config?

Hi jkusner,

802.1x and MAC authentication are disabled by default, so there should be no problem for you if you haven't specifically enabled them.

I'm curious to know why you're using hybrid ports for this rather than trunk ports - any particular reason?

Thanks for replying. I found out by adding

 

"port-security timer autolearn aging 2" to the global config

 

and 

"port-security mac-address aging-type inactivity" to each port

 

it seems to give me what I am looking for. This causes the learned macs to reset after 2 minutes. I will reply back with more details as I test it further.

 

In terms of the hybrid port configuration, thats a great question. I sort of inherited this port configuration and admit that I am not very familiar with these switches in general. I know in most cases we have older Cisco phones (7941 and the like) that are connected to the switchports. Is there a more optimal config we could be using on these user facing ports?

 

Hi jkusner,

 

I don't think there's anything wrong with using hybrid ports, and they should function identically to trunk ports in this scenario.  I was merely curious.

 

I'm interested to hear about your results in testing those commands.

This is how I do it:

 

On the physical interface:

 

 mac-address max-mac-count 10

On the VLAN-interface:

 

 ipv6 neighbors max-learning-num 20

This way not more than 10 mac addresses will be learned on the physical interface, when client disconnects this is reset.

 

The IPv6 stuff on the VLAN-interface is to do the same but for IPv6 (where ND is used instead of ARP).

 

The reason for why that IPv6 value is higher than the mac one is because IPv6 by design always have a link local even if it learns a global unicast address.

 

This means if you with the above mac limit expect not more than 10 clients on this interface the above value for ND is the equal (10 IPv6 clients would mean that 20 neighbours would be learned).

For IPv6 port security take a look at "SAVI", too.

 

http://www.ietf.org/proceedings/78/slides/savi-4.pdf

http://www.ietf.org/proceedings/80/slides/savi-2.pdf

 

The main drawback with SAVI is that both the network equipment along with the clients connecting to it must have support for it to work.

In my case I have solved it with one VLAN per client which is achieved thanks to Protocol-VLAN feature of HP A-series.

Example (not the full config is presented but so you get an idea):

On Access-switch:

#
vlan 100
 description R1
 protocol-vlan 0 mode ethernetii etype 0806
 protocol-vlan 4 ipv4
#
vlan 101
 description 01_CUSTOMER
 protocol-vlan 6 ipv6
#
...
#
vlan 148
 description 48_CUSTOMER
 protocol-vlan 6 ipv6
#

#
interface GigabitEthernet1/0/1
 description 01_CUSTOMER
 port link-type hybrid
 undo port hybrid vlan 1
 port hybrid vlan 100 101 untagged
 broadcast-suppression pps 100
 multicast-suppression pps 100
 unicast-suppression pps 100
 undo jumboframe enable
 port hybrid protocol-vlan vlan 100 0
 port hybrid protocol-vlan vlan 100 4
 port hybrid protocol-vlan vlan 101 6
 packet-filter 3101 inbound
 packet-filter ipv6 3101 inbound
 stp disable
 undo ndp enable
 undo lldp enable
 lldp admin-status disable
 mac-address max-mac-count 10
 mac-address information enable added
 port-isolate enable
#

On router:

#
 ipv6 dhcp prefix-pool 1 prefix 2001:DB8:1234:100::/56 assign-len 64
#

#
ipv6 dhcp pool 1
 network 2001:DB8:1234:F101::/64 preferred-lifetime 3600 valid-lifetime 86400
 prefix-pool 1 preferred-lifetime 3600 valid-lifetime 86400
 dns-server 2001:4860:4860::8888
 dns-server 2001:4860:4860::8844
#

#
interface Vlan-interface100
 description SW1
 ipv6 address 2001:DB8:1234:F100::1/126
 ipv6 address FE80::F100:1 link-local
 ip address 192.0.2.62 255.255.255.192
 local-proxy-arp enable
#

#
interface Vlan-interface101
 description SW1_01_CUSTOMER
 ipv6 nd ra prefix 2001:DB8:1234:F101::/64 86400 3600
 undo ipv6 nd ra halt
 ipv6 nd autoconfig managed-address-flag
 ipv6 nd autoconfig other-flag
 ipv6 neighbors max-learning-num 20
 ipv6 address 2001:DB8:1234:F101::1/64
 ipv6 address FE80::F101:1 link-local
 ipv6 dhcp server apply pool 1 allow-hint preference 255 rapid-commit
#



The above gives that for IPv4 the design is (that is ethertype of the packet is identified by Protocol-VLAN and put in the correct VLAN):

All clients in SW1 are on the same VLAN (100) but port-isolate along with local-proxy-arp makes sure the clients cannot speak directly to each other (the packets must pass R1/the uplink). This way the clients are isolated against each other at L2 level but can still communicate with each other at L3 (if you wish).

While for IPv6 the design is (again, Protocol-VLAN applies its magic):

Each client is in their own VLAN (101 to 148 depending on which physical interface they are connected to). This also gives that the majority of the IPv6 security issues are now isolated away - its only equipment from the same client which exists on the same VLAN. This also gives that the client can now choose from using static ip, SLAAC or DHCPv6 (along with DHCPv6-PD when HP fixes the reported bug regarding routing is not properly updated when the internal DHCP6-server servces a PD to the client).

Like a win-win situation =)

For SAVI, the clients don´t need any support. That´s switch/DHCP magic.Did I miss something?

 

Hm, first you "port-isolate" the clients and afterwards "proxy-arp". I actually nevery tried that one. This works as expected? I really have to try out this myself...

 

I´m actually asking myself what traffic you filter with 3101 on IP/IPv6.

I once started with filtering all variants of IPv6/ICMPv6/RA  till I tried out THC...and had a "not supported by hardware" for IPv6 ACLs...

 

What do you filter on IPv4?

 

Port-isolate and local-proxy-arp has only effect on IPv4 traffic in my case (thanks to Protocol-VLAN). That is because with IPv4 all clients are on the same VLAN but port-isolate isolates them on L2 level. That is they are only allowed to speak to uplink. The switch the clients are connected to is a A5120EI.

 

Then on the uplink sits a A5820 acting as a router. The A5820 has an ip set on interface vlan 100, this ip is what the clients will use as default gateway.

 

client(s) <-> A5120 (SWx, acting L2-device) <-> A5820 (Rx, acting L3-device)

 

The local-proxy-arp will arp the mac of A5820 in case it see a request from the A5120 asking for "who has ip <clientX>". Local-proxy-arp will only proxy-arp for the range configured on the int vlan 100 (compared to a regular proxy-arp who proxy-arps for any request).

 

This way clientX at SW1 who arps for "who has ip <clientY>" will get a response from A5820 saying "I have ip <clientY>, my mac is <mac of A5820>". ClientX sends then the packets to A5820 (which it thinks is clientY), A5820 will then send the packet to the true clientY by returning the packet on the same interface. If you dont wish this you can setup an ACL to block this (and disable local-proxy-arp).

 

The ACLs on each physical interface towards the client(s) will filter based on sourceip basically.

 

For example client connected to gi 1/0/1 is only allowed to use IPv4 192.0.2.1, client on gi 1/0/2 is only allowed to use IPv4 192.0.2.2 etc (of course these ip addresses are just examples).

 

The same goes for IPv6 but here I allow the DHCP6 stuff, link local stuff with /64 mask along with the global unicast address assigned to this client (both the /64 announced through SLAAC but also the additional /56 being routed towards the client).

 

Then on the infrastructure ACLs (ACL sitting on the interfaces between switch/routers) I filter whole nets along with which ports I wish to drop. For example dropping incoming RFC1918 traffic on uplink towards Internet, along with stuff such as TCP/UDP 135-139, 445, 1900 and whatever you might dislike :-)

 

So far roughly 10% of our customers use IPv6 (intentionally or not =) while looking at the dropped packets like TCP/UDP 135-139 there are far more evil clients out on the Internet using IPv4 than using IPv6... so far at least... but this will change as more and more clients start to use IPv6.

I ended up using the below and it seems to be working:

 

interface GigabitEthernet7/0/21
port link-mode bridge
port link-type hybrid
undo port hybrid vlan 1
port hybrid vlan 18 tagged
port hybrid vlan 17 untagged
port hybrid pvid vlan 17
undo voice vlan mode auto
voice vlan 18 enable
speed auto 10 100
poe enable
stp edged-port enable
qos trust dscp
port-security max-mac-count 3
port-security port-mode autolearn
port-security intrusion-mode blockmac
port-security mac-address dynamic
port-security mac-address aging-type inactivity

 

However, just using something like "mac-address max-mac-count 3" sure seems easier. What are the drawbacks and advtanges of either way?

Using "mac-address max-mac-count" basically means that you limit how many mac-addresses can be learned for a particular interface. The interface will still forward traffic (both inbound and outbound) even if max-mac-count has been reached.

 

What this means is that when a frame arrives through the uplink the switch doesnt have the mac-addresses in its mac-address-table and by that the frame will be considered to be a DLF (Destination Lookup Failure). When a frame is classified as DLF it will be broadcasted on all interfaces which belongs to this particular VLAN except the interface where the frame arrived at.

 

This way the control-plane will be protected (in terms of mac-stuff) so not the whole switch will become a hub (otherwise a single host could overflow the mac-address-table with thousands or tens of thousands of mac-addresses which basically makes the switch into a hub due to the DLF stuff described above).

 

Port-security is more granular in what you can do once max-limit is reached, for example shutdown the interface for one minute or two, or permanently shutdown the interface (so an admin must login and "undo shutdown" the interface before it will restart to forward frames again).

 

If im not mistaken "mac-address max-mac-count" will also reset number of learned mac-addresses for a particular interface once the client disconnects while port-security can be configured to "never forget".

I went through the manual and came up with the following configuration should be sane if you want to use port-security automatically (that is without having to manually add/remove allowed mac-addresses):

 

System-level:
port-security enable
port-security trap
port-security timer autolearn aging 5

Interface-level:
port-security intrusion-mode blockmac
port-security mac-address aging-type inactivity
port-security mac-address dynamic
port-security max-mac-count 10
port-security ntk-mode ntkonly
port-security port-mode autolearn

 

With the following comments:

 

System-level:

 

> port-security enable

This one is needed to enable port-security, otherwise interface-level configurations regarding port-security will be ignored (as I understand it).

 

> port-security trap

To get SNMP-traps when stuff happends with port-security. You can also limit this to only get for example intrusion traps. Default is no traps so if you dont want traps then dont configure this.

 

> port-security timer autolearn aging 5

You need to configure this (the above means 5mins, which matches regular mac-address learning which is 300 seconds (= 5mins)) if you want the "aging-type inactivity" to function, unless I misunderstood these lines from the manual?

 

"

If only an aging timer is configured, the aging timer counts up regardless of whether traffic data has been sent from the sticky MAC address. When you use an aging timer together with the inactivity aging function, the aging timer restarts once traffic data is detected from the sticky MAC address. The inactivity aging function prevents the unauthorized use of a secure MAC address when the authorized user is offline, and removes outdated secure MAC addresses so new secure MAC addresses can be learned.

"

 

Interface-level:

 

>port-security intrusion-mode blockmac

This will act as a srcmac filter. If the mac-address doesnt match the allowed list created by port-security the frame will be dropped. Other intrusion-modes is for example to shutdown the interface but thats more offensive against the user since that would affect all traffic, even already learned allowed mac-addresses.

 

>port-security mac-address aging-type inactivity

See comment above for "timer autolearn aging".

 

>port-security mac-address dynamic

Learned mac-addresses will be considered to be dynamic and not saved in the configuration file between reboots. However if you manually configure a static entry that static entry will survive reboots.

 

>port-security max-mac-count 10

Max number of allowed learned mac-addresses by the port-security.

 

>port-security ntk-mode ntkonly

If "intrusion-mode blockmac" is for incoming frames on the interface this is for outgoing frames:

 

"
By default, NTK is disabled on a port and all frames are allowed to be sent.

The need to know (NTK) feature checks the destination MAC addresses in outbound frames to allow
frames to be sent to only devices passing authentication, preventing illegal devices from intercepting
network traffic.
"

 

However im not sure what the proper setting would be here when you use autolearning - anyone with experience from this? Or isnt NTK valid when you use autolearn?

 

> port-security port-mode autolearn
Basically how port-security should function. The above will basically be in passive mode, that is no 802.1x or mac-authentication is involved.

Thanks everyone for the feedback.

Just a small addition:

 

It turns out that you cant just do "port-security trap" to enable all traps, you must enable each trap on its own - like so:

 

port-security trap intrusion
port-security trap addresslearned

 

Also, if you wish to use the ntk-feature this setting (not confirmed) might be your best option if you also want to do IPv6 (which use multicast instead of broadcast as with IPv4 to perform neighbour detection etc):

 

port-security ntk-mode ntk-withmulticasts