125
Configuring port security
Overview
Port security combines and extends 802.1X and MAC authentication to provide MAC-based network
access control. It applies to networks that require different authentication methods for different users
on a port, such as a WLAN.
Port security prevents unauthorized access to a network by checking the source MAC address of
inbound traffic and prevents access to unauthorized devices by checking the destination MAC
address of outbound traffic.
Port security can control MAC address learning and authentication on a port to make sure the port
learns only source trusted MAC addresses.
A frame is illegal if its source MAC address cannot be learned in a port security mode, or if it is from
a client that has failed 802.1X or MAC authentication. The port security feature automatically takes a
pre-defined action on illegal frames. This automatic mechanism enhances network security and
reduces human intervention.
Port security is available on Ethernet and WLAN ports. Supported port types depend on the
command. For more information, see HPE FlexNetwork MSR Router Series Comware 5 Security
Command Reference.
For scenarios that require only 802.1X authentication or MAC authentication, Hewlett Packard
Enterprise recommends that you use the 802.1X authentication or MAC authentication feature
rather than port security.
For more information about 802.1X and MAC authentication, see "Configuring 802.1X" and
"Configuring MAC authentication."
Port security features
Port security supports the need to know (NTK) feature, intrusion protection, and port security traps.
NTK
NTK prevents traffic interception by checking the destination MAC address in outbound frames. The
feature ensures that frames are sent only to hosts that have passed authentication or whose MAC
addresses have been learned or configured on the access device.
Intrusion protection
The intrusion protection feature checks the source MAC address in inbound frames for illegal frames
and takes a pre-defined action on each detected illegal frame. The action can be disabling the port
temporarily, disabling the port permanently, or blocking frames from the illegal MAC address for 3
minutes (not user configurable).
Port security traps
To monitor user behavior, configure the port security module to send traps for port security events
such as login, logoff, and MAC authentication.
Port security modes
Port security supports the following categories of security mode:
• MAC learning control—Includes autoLearn and secure. MAC address learning is permitted
on ports in autoLearn mode and disabled on ports in secure mode.
To Next Page
Loading...
Need help?
General
