Embedded Files
http://www.h3c.com/portal/Technical_Support___Documents/Technical_Documents/WLAN/Access_Controller/H3C_WX6000_Series_Access_Controllers/Configuration/Operation_Manual/H3C_WX6103_Switch_Interface_Board_CG-6W102/201007/685200_1285_0.htm#_Toc265770684
Port Security Configuration Examples
Port Security Configuration Examples
Port Security Configuration for autoLearn Mode
Port Security Configuration for autoLearn Mode
Network requirements
Restrict port GigabitEthernet 0/0/1 of the switch as follows:
l Allow up to 64 users to access the port without authentication and permit the port to learn and add the MAC addresses of the users as secure MAC addresses.
l After the number of secure MAC addresses reaches 64, the port stops learning MAC addresses. If any frame with an unknown MAC address arrives, intrusion protection is triggered and the port is disabled and stays silence for 30 seconds.
Network diagram
Figure 1-1 Network diagram for port security configuration for autoLearn mode
Configuration procedure
1) Configure port security
# Enable port security.
<AC> system-view
[AC] port-security enable
# Enable intrusion protection trap.
[AC] port-security trap intrusion
[AC] interface gigabitethernet 0/0/1
# Set the maximum number of secure MAC addresses allowed on the port to 64.
[AC-GigabitEthernet0/0/1] port-security max-mac-count 64
# Set the port security mode to autoLearn.
[AC-GigabitEthernet0/0/1] port-security port-mode autolearn
# Configure the port to be silent for 30 seconds after the intrusion protection feature is triggered.
[AC-GigabitEthernet0/0/1] port-security intrusion-mode disableport-temporarily
[AC-GigabitEthernet0/0/1] quit
[AC] port-security timer disableport 30
2) Verify the configuration
After completing the above configurations, you can use the following command to view the port security configuration information:
<AC> display port-security interface gigabitethernet 0/0/1
Equipment port-security is enabled
Intrusion trap is enabled
Disableport Timeout: 30s
OUI value:
GigabitEthernet0/0/1 is link-up
Port mode is autoLearn
NeedToKnow mode is disabled
Intrusion Protection mode is DisablePortTemporarily
Max MAC address number is 64
Stored MAC address number is 0
Authorization is permitted
As shown in the output, the maximum number of secure MAC addresses allowed on the port is 64, the port security mode is autoLearn, the intrusion protection trap is enabled, and the intrusion protection action is to keep the port temporarily (DisablePortTemporarily) for 30 seconds.
You can also use the above command repeatedly to track the number of MAC addresses learned by the port, or use thedisplay this command in Ethernet port view to display the secure MAC addresses learned, as shown below:
<AC> system-view
[AC] interface gigabitethernet 0/0/1
[AC-GigabitEthernet0/0/1] display this
#
interface GigabitEthernet0/0/1
port-security max-mac-count 64
port-security port-mode autolearn
port-security mac-address security 0002-0000-0015 vlan 1
port-security mac-address security 0002-0000-0014 vlan 1
port-security mac-address security 0002-0000-0013 vlan 1
port-security mac-address security 0002-0000-0012 vlan 1
port-security mac-address security 0002-0000-0011 vlan 1
#
Issuing the display port-security interface command after the number of MAC addresses learned by the port reaches 64, you will see that the port security mode has changed to secure. When any frame with a new MAC address arrives, intrusion protection is triggered and you will see trap messages as follows:
#May 2 03:15:55:871 2000 AC PORTSEC/1/VIOLATION:Traph3cSecureViolation
A intrusion occurs!
IfIndex: 9437207
Port: 9437207
MAC Addr: 0.2.0.0.0.21
VLAN ID: 1
IfAdminStatus: 1
In addition, you will see that the port security feature has disabled the port if you issue the following command:
<AC-GigabitEthernet0/0/1> display interface gigabitethernet 0/0/1
GigabitEthernet0/0/1 current state: Port Security Disabled
IP Packet Frame Type: PKTFMT_ETHNT_2, Hardware Address: 000f-cb00-5558
Description: GigabitEthernet0/0/1 Interface
......
The port should be re-enabled 30 seconds later.
[AC-GigabitEthernet0/0/1] display interface gigabitethernet 0/0/1
GigabitEthernet0/0/1 current state: UP
IP Packet Frame Type: PKTFMT_ETHNT_2, Hardware Address: 000f-cb00-5558
Description: GigabitEthernet0/0/1 Interface
......
Now, if you manually delete several secure MAC addresses, the port security mode of the port will be restored to autoLearn, and the port will be able to learn MAC addresses again.
Port Security Configuration for userLoginWithOUI Mode
Port Security Configuration for userLoginWithOUI Mode
Network requirements
The client is connected to the switch through port GigabitEthernet 0/0/1. The switch authenticates the client by the RADIUS server. If the authentication succeeds, the client is authorized to access the Internet.
Restrict port GigabitEthernet 0/0/1 of the switch as follows:
l Allow only one 802.1x user to be authenticated.
l Allow up to 16 OUI values to be configured and allow one additional user whose MAC address has an OUI among the configured ones to access the port.
Network diagram
Figure 1-2 Network diagram for port security configuration for userLoginWithOUI mode
Configuration procedure
l The following configuration steps cover some AAA/RADIUS configuration commands.
l Configurations on the host and RADIUS servers are omitted.
1) Configure the RADIUS protocol
# Create a RADIUS scheme named radsun.
<AC> system-view
[AC] radius scheme radsun
# Set the IP addresses of the primary authentication and accounting servers to 192.168.1.1 and 192.168.1.2 respectively.
[AC-radius-radsun] primary authentication 192.168.1.1
[AC-radius-radsun] primary accounting 192.168.1.2
# Set the IP addresses of the secondary authentication and accounting servers to 192.168.1.2 and 192.168.1.1 respectively.
[AC-radius-radsun] secondary authentication 192.168.1.2
[AC-radius-radsun] secondary accounting 192.168.1.1
# Set the encryption key for the switch to use when interacting with the authentication server to name.
[AC-radius-radsun] key authentication name
# Set the encryption key for the switch to use when interacting with the accounting server to money.
[AC-radius-radsun] key accounting money
# Set the RADIUS server response timeout time to five seconds and the maximum number of RADIUS packet retransmission attempts to 5.
[AC-radius-radsun] timer response-timeout 5
[AC-radius-radsun] retry 5
# Set the interval at which the switch sends real-time accounting packets to the RADIUS server to 15 minutes.
[AC-radius-radsun] timer realtime-accounting 15
# Specify that the switch sends user names without domain names to the RADIUS server.
[AC-radius-radsun] user-name-format without-domain
[AC-radius-radsun] quit
# Create an ISP domain named sun and enter its view.
[AC] domain sun
# Configure the ISP domain to use RADIUS scheme radsun as its default RADIUS scheme.
[AC-isp-sun] authentication default radius-scheme radsun
# Allow the ISP domain to accommodate up to 30 users.
[AC-isp-sun] access-limit enable 30
[AC-isp-sun] quit
2) Configure port security
# Enable port security.
[AC] port-security enable
# Add five OUI values.
[AC] port-security oui 1234-0100-1111 index 1
[AC] port-security oui 1234-0200-1111 index 2
[AC] port-security oui 1234-0300-1111 index 3
[AC] port-security oui 1234-0400-1111 index 4
[AC] port-security oui 1234-0500-1111 index 5
[AC] interface gigabitethernet 0/0/1
Page updated
Google Sites
Report abuse