Friday, 29 June 2012

HP procurve Port Security

Port Security allows you to configure each switch port with a unique list of MAC addresses of devices that are authorized to access the network through that port.

This will enable individual ports to detect, prevent, and log attempts by unauthorized devices trying to communicate through the switch port.

Just to clarify one important point here before we dive into the configuration part of it, this feature (port security) will not prevent intruders from receiving broadcast and multicast traffic.

Planning is the first Key step.

Before we go ahead we need to get answer to the following questions

  1. Which ports need lockout?
  2. Which devices are authorized per port?
  3. What security actions do you want?
  4. How you want to be informed about it

To view port security you need :-

show port-security

To disable port security on any port :-

no port-security

To check for intrusion flags on any port, issue the following command and you will see Yes next to port.

ProCurve(config)# show interfaces brief

One important point to understand how HP port security works as it is slightly different from Cisco default way of applying port security.

On HP Procurve if intruder is detected on the port with port security enabled, then switch will do the following:-

  • Send SNMP trap
  • Sets the port’s alert flag
  • Disables the port.

If you re-enable the port without resetting the port’s alert flag, then port comes up and will block traffic from unauthorized devices it detects

If the port detects another intruder with different MAC address, It will send another SNMP trap, but will not disable the port unless you first reset the port’s intrusion flag. (In case of Cisco it keep on error disable them)

Point to be noted :- until unless you reset the intrusion flag on the port

port-security 40 clear-intrusion-flag

Now issue show int brief command and you will see no Intrusion Alert in found in interface 40

To look at intrusion log issue the following common

show port-security intrusion-log

This port security will enable the port to continue passing traffic for authorized devices while you take the time to locate and eliminate the intruder. Otherwise the presence of an intruder could cause the switch to repeatedly disable the port. (As in the case of Cisco default port security)

Setting up port security

Learn-Mode Static. This example configures port 40 to automatically  accept the first device it detects as the only authorized device for that port. (in Cisco world we say it MAC address Sticky)

We will also configures the port to send an alarm to a network management station and disable itself if an intruder is detected on the port.

ProCurve(config)# port-security 40 learn-mode static action send-disable

Specify manual address

ProCurve(config)# port-security 40 learn-mode static mac-address 0c0019-123456 action send-disable

Specify 2 MAC addresses

ProCurve(config)# port-security 40 learn-mode static address-limit 2 mac-address 111110-7aec00 0078c0-883100 action send-alarm

show port-security 40

Last but not the least point Intrusion Log lists the 20 most recently detected security violation attempts, regardless of whether the alert flags for these attempts have been reset. This gives you a history of past intrusion attempts

No comments:

Post a Comment