HiddenOne

In some cases you can use a RADIUS server to perform port authentication based on the MAC address of the connecting device. In other cases the port usage may remain static, but you still may want to lock down the ports without going through the process of configuring a RADIUS server. The ‘port-security’ command can be used to lock down ports without the need for a RADIUS server or even knowing the MAC address of the computers that will connect to the port.

Where would this be useful? At work I use this to secure ports in our computer labs. In the labs the desktops stay in one place. In this situation, seeing multiple MAC addresses through any port (except for the uplink port) would indicate that either someone setup a rouge switch/hub or a game of musical computers is being played. This particular command allows me to set the maximum amount of MAC addresses allowed though a port to one.

The command that makes all of this happen is ‘port-security’. Here is an example of a command that I use in our computer labs at work:

port-security 1-20 address-limit 1 learn-mode static action send-disable

Breaking the command down into sections makes it easier to understand:

‘port-security 1-20’ – Apply the command and all of the following options to ports 1 thru 20. A single port or group of ports can be specified in addition to a range.

‘address-limit 1’ – Set the amount of MAC addresses that can gain access through the switch port(s). Most HP switches support an address limit of up to about 38.

‘learn-mode static’ – This configures how the switch will learn or know the MAC addresses that are allowed to gain access through the port(s).

‘action send-disable’ – This sets the action to be taken once the threshold defined by ‘address-limit’ is crossed. ‘send-disable’ sends an error message and disables the port.

My preferred option for ‘learn-mode’ is static. In this case I do not predefine any MAC addresses, which leaves many people wondering how the switch knows which MAC addresses to allow though which ports. When the above command is first issued, the switch doesn’t know that information. With the ‘learn-mode static’ option the switch will take the first source MAC address is sees on a port and assign that MAC address as an authorized MAC address for that particular port. This process is repeated for each port in this case. The picture below illustrates this process so that it is easier to understand.

Our basic training has told us that when you first take a switch out of the box it is a blank slate. For the sake of explanation we are going to assume this for our scenario. We are also going to assume that the previously discussed ‘port-security’ command has been applied to interfaces one thru twenty. You connect Computer A to interface one of the switch. Soon after that Computer A sends a packet which enters the switch through interface one. The switch reviews the packet and one of the steps it takes is to add the source MAC address (AAAAAA-AAAAAA) to its MAC address table. This accomplishes multiple things at once. First it now tells the switch which interface Computer A is attached to, which allows more efficient forwarding of packets destined for Computer A. This MAC address table is also used by the ‘port-security’ command to determine if another computer should be allowed to gain access to the network through that port.

If some black hat comes by and connects their laptop to interface one, the switch will now see a new source MAC address attached to the packets. In this case the ‘address-limit’ was set to one, and the switch already has one MAC address associated with port one in its MAC address table. This means that the switch will take the ‘send-disable’ action, disabling the interface.

There you have it! This is a quick and easy way to add another layer of security to your network! I caution to use this command wisely as using it in the wrong situation could make you one unpopular network administrator!

As always consult the manual for your HP Procurve switch for the exact command syntax.