Configuring and Monitoring Port Security

Contents

Introduction

Using Port Security, you can configure each switch port with a unique list of the MAC addresses of devices that are authorized to access the network through that port. This enables individual ports to detect, prevent, and log attempts by unauthorized devices to communicate through the switch.

Basic Operation

The default port security setting for each port is ‘‘off’’. That is, any device can access a port without causing a security reaction. However, on a per-port basis, you can configure security measures to block unauthorized connections or ‘‘listening’’, and to send notice of security violations. Once you have configured port security, you can then monitor the network for security violations through one or more of the following:

(For port security management using the switch console interface, refer to the Software Update C.07.XX Release Notes.)

For any port, you can configure the following:

Configuring Port Security

Preparation

Plan your port security configuration and monitoring according to the following:

  1. On which ports do you want to configure intruder security?
  2. Which devices (MAC addresses) are authorized on each port?
  3. For each port, what security actions do you want? You can do one or both of the following:
  4. How do you want to learn of the security violation attempts the switch detects? You can use one or more of these methods:
  5. Plan the parameter settings for each port on which you want to configure port security.

Steps for Configuring Port Security

  1. Configure the parameters controlling port security actions for a specific port.
    1. Highlight a port to configure.
    2. Click on the Set Security Policy for Selected Ports button.
    3. Set Learn Mode to Static.
    4. Set the Address Limit to the number of authorized devices allowed on the port. (See the Caution, below.)
    5. If you want to prevent eavesdropping of flooded unicast traffic on the port by unauthorized devices, set Prevent Eavesdropping to Yes.
    6. Set Send Alarm to Yes if you want an SNMP trap automatically sent to a network management station when Learn Mode is set to Static and the port detects an unauthorized device.
    7. Click on the Apply Changes button.
  2. Enter MAC Address(es) of authorized device(s) for the selected port.
    1. Identify the MAC address of an authorized device for the selected port.
    2. Enter the MAC address in the Address field.
    3. Click on the Add button. The MAC address will then appear in the Authorized Addresses list.

To Modify Parameter Settings in an Authorized Address Entry

  1. Highlight the entry you want to change.
  2. Make any changes you want to the Learn Mode, Address Limit, Prevent Eavesdropping, and/or Send Alarm parameters.
  3. Click on the Apply Changes button.

To Replace One Address Entry With Another

  1. Highlight the entry you want to change.
  2. Edit the MAC address in the Address field.
  3. If necessary, modify any parameter settings, then click on the Apply Changes button.
  4. Click on the Replace button.

To Delete an Address Entry

  1. Highlight the entry in the Authorized Addresses list.
  2. Click on the Delete button.

Operating Notes for Port Security

Caution. If you enter fewer devices (MAC addresses) than specified in the Address Limits parameter, it is possible to unintentionally allow a device to become "authorized" that you do not want to include in your Authorized Address list. This can occur because the port, in order to fulfill the number of devices allowed by the Address Limits parameter, will automatically add devices it detects until the specified limit is reached. For this reason it is recommended that you configure the Address Limit to allow only as many devices as you plan to type in to the Authorized Manager list.

Identifying the IP Address of an Intruder. The Intrusion Log lists intruders by MAC address. If you are using HP TopTools for Hubs & Switches to manage your network, you can use the TopTools inventory reports to link MAC addresses to their corresponding IP addresses. (Inventory reports are organized by device type; hubs, switches, servers, etc.)

Proxy Web Servers. If you are using the switch’s web browser interface through a switch port configured for Static port security, and your browser access is through a proxy web server, then it is necessary to do the following:

Without both of the above configured, the switch detects only the proxy server’s MAC address, and not your PC or workstation MAC address, and interprets your connection as unauthorized. For more information, see ‘‘Web Proxy Server Caution’’.


/rnd/device_help/help/hpwnd/webhelp/HPJ4121A/openbook.gif Go to Table of Contents

Copyright © 1999 by Hewlett-Packard Company