I recently had a request through my 'contact me' form - on how to configure port security on HPE Aruba Switches - these are the 2920's, 3800's, 5400's 8200's etc.
Firstly, what is port security? It's a method of MAC lockdown (or Layer 2 control) which allows users to limit / restrict / or fix the MAC address on an individual switch port.
Its important to understand what the various modes are:
I normally use the following scenario's -
1. Lock down a port to a maximum of 2 MAC address, but allow the switch to learn those MAC addresses and disable the port if there is a violation
port-security 1-24 address-limit 2 learn-mode limited-continuous action send-disable
1-24 is the ports I want to configure this policy on
2 is the address-limit maximum (2!)
limited-continuous is the learn mode i am using (see table above)
send-disable is the action (turn off the port)
Note, the switch uses the default MAC Age Time before a new MAC address can be learned, this is 300 seconds. You can find this by typing - show system-information
You can modify the MAC age time as follows:
mac-age-time 60-999960
2. Statically fix a particular MAC address to a port, only this MAC address can use this port, disable the port if there is a violation
port-security 25 learn-mode configured mac-address 0000.ffff.0000 action send-disable
port-security 25 learn-mode static action send-disable
port-security 1-24 address-limit 2 learn-mode limited-continuous action send-alarm
How to clear the intrusion flag of a port disabled using port security
port-security 1 clear-intrusion-flag