Comments (0)
Configuring Port Security Functionality
The port security functionality will be configured as part of the port level security configuration. This profile can be attached to the interface.
Configuring RA Guard Functionality
RA Guard functionality can be enabled at the port level. Configure the RA guard as part of the port level security configuration and attach to the interface.
(host)(config)# interface-profile port-security-profile <profile-name>
ipv6-ra-guard action {drop|shutdown}auto-recovery-time <recovery-time>
The following example shows how to enable the RA Guard functionality:
(host)(config)# interface-profile port-security-profile RA-Guard1
ipv6-ra-guard action shutdown auto-recovery-time 60
Configuring DHCP Trust Functionality
The DHCP trust functionality will be configured as part of the port level security configuration. This profile can be attached to the interface.
DHCP Trust can be enabled on any interface. By default, the DHCP Trust setting in a port-security-profile is to filter (block) these OFFER and ACK messages. You must explicitly enable DHCP Trust (trust dhcp) in the port-security-profile (if applied to a port) to allow these DHCP messages from valid devices.
(host)(config)# interface-profile port-security-profile <profile-name>
trust dhcp
When no trust dhcp is configured the DHCP packets are dropped and a message is logged.
The following example shows how to enable the DHCP Trust functionality:
(host)(config)# interface-profile port-security-profile ps1
trust dhcp
Configuring Loop Protect Functionality
Port Loop Protect functionality is configured as part of the port level security configuration. You can attach the port-security profile to any Layer 2 interface. Enabling Loop Protect will disable a port when it detects a loop. You can automatically re-enable the port by setting the auto-recovery option. Otherwise, you can recover the port manually using the clear command.
Use the following CLI commands to enable Loop Protect and the auto-recovery option:
(host) (config) #interface-profile port-security-profile <profile-name>
(host) (Port security profile “<profile-name>”) #loop-protect auto-recovery-time <time in seconds>
Set a value for auto-recovery-time to enable the auto-recovery option. The port automatically re-enables and recovers from the error after the specified time. By default, auto-recovery is disabled. Auto-recovery remains disabled, if you enable loop-protect without setting the auto-recovery-time option or by setting the value to 0.
Use the following command to disable the auto-recovery option:
(host) (Port security profile “<profile-name>”) #no loop-protect auto-recovery-time
Use the following command to disable the Loop Protect functionality:
(host) (Port security profile “<profile-name>”) #no loop-protect
It is recommended that you disable Spanning Tree using the following command before enabling Loop Protect on an interface:
(host) (config) #spanning-tree no mode
Otherwise, you will see the following warning message:
Warning: Port Loop Protect configured in the port-security-profile, will be inactive. It becomes active when MSTP/PVST is disabled.
Configuring MAC Limit Functionality
The MAC Limit functionality will be configured as part of the port level security configuration. You can attach this profile to an interface.
Use the following command to configure the MAC Limit:
(host)(config)# interface-profile port-security-profile <profile-name>
mac-limit <limit> action {drop|log|shutdown}
auto-recovery-time <time in seconds>
The following example shows how to enable the MAC Limit functionality:
(host)(config)# interface-profile port-security-profile MAC_Limit
mac-limit 30 action drop
auto-recovery-time 50
The maximum value for auto-recovery-time for all the port security functionalities is 65,535 seconds. You can apply auto-recovery-time option only if the action is shutdown.
MAC Limit on Untrusted Ports
The Mobility Access Switch allows you to configure the MAC limit on untrusted ports. You can also choose to configure the action to take when the number of MAC addresses on the untrusted ports exceeds the configured limit. By default, the MAC limit option for a port is disabled.
Important Points to Note:
| You can choose to configure log, drop, or shutdown option as action to be taken when the number of MAC addresses on the port exceeds the configured MAC limit. |
| When you configure the log action, a syslog is generated and the interface is marked as interface error log; any new MAC addresses beyond the configured MAC limit are dropped by the software. |
| When you configure the drop action, a syslog is generated and the interface is marked as interface error drop; any new MAC addresses beyond the configured MAC limit are dropped by the hardware. |
| When you configure the shutdown action, a syslog is generated and the interface is marked as interface error shutdown; the interface is brought down; recovery can be done either by clearing the interface error from CLI or configuring the auto-recovery-time option to bring the port UP on timer expiry. |
You need to enable the logs using logging level errors or debug security.
You can enable and configure the MAC limit for a port by using the CLI.
Configuring MAC Limit and Action
You can enable the MAC Limit option on Mobility Access Switches using the following CLI command:
(host) (config) #aaa profile <profile-name>
(host) (AAA Profile “<profile-name>”) #mac-limit <mac_limit> action {log | drop | shutdown [auto-recovery-time <timeout>]}
The preceding command enables the MAC limit option, includes the number of MAC addresses that can be allowed on an untrusted port, and the action to take when the number of MAC addresses exceeds the configured limit.
For <mac_limit>, the allowed range is 1–512.
For <timeout>, the default value is 0, which means no auto-recovery; the allowed range of values (in seconds) is 0–65535.
The auto-recovery timer applies only when you have configured the shutdown action.
The port error recovery is cleared during the following events:
| The port is changed from untrusted to trusted type. |
| The linking of AAA profile is removed from the gigabitethernet, vlan-profile, or interface-group profile. |
| The MAC address count on a port goes below the configured MAC limit due to user entry deletion. |
You can enable and configure the MAC limit on an AAA profile and link the profile to a gigabit ethernet interface, vlan-profile, or interface-group profile.
(host) (config) #interface gigabitethernet <slot>/<module>/<port>
(host) (gigabitethernet “<slot>/<module>/<port>”) #aaa-profile <profile-name>
Verifying Enforced Action on MAC Limit Exceed
You can verify if the configured action is enforced when the number of MAC addresses exceeds the configured MAC limit on untrusted port. To verify, execute the following show command:
(host) #show port-error-recovery untrusted
Clearing Log/Drop/Shutdown Errors on Interface
You can execute the following clear command to clear the log/drop/shutdown errors on an interface:
(host) #clear port-error-recovery untrusted interface gigabitethernet <slot>/<module>/<port>
You can execute the following clear command to clear the log/drop/shutdown errors on all untrusted ports:
(host) #clear port-error-recovery untrusted
Configuring Sticky MAC
The Sticky MAC learning is configured as part of the port-level security configuration. You can attach this profile to an interface.
Starting from ArubaOS 7.4.0.2, the Mobility Access Switch allows you to configure the Sticky MAC feature with an action to take when a Sticky MAC violation occurs. The allowed actions are:
| Drop—Drops any new MAC addresses trying to connect to the interface. This is the default option. |
| Shutdown—Shuts down the port on which the sticky MAC violation occurs. You can also optionally set an auto-recovery time between 0-65,535 seconds for the interface to recover. |
Enabling Sticky MAC
Use the following command to enable Sticky MAC:
(host)(config)# interface-profile port-security-profile <profile-name> sticky-mac
Use the following command to configure a Sticky MAC action:
(host) (Port security profile “<profile-name>”) #sticky-mac action [drop | shutdown autorecovery-time <1-65535>]
The following example shows how to enable Sticky MAC:
(host)(config)# interface-profile port-security-profile PSP sticky-mac
Use the following command to disable Sticky MAC:
(host)(config)# interface-profile port-security-profile <profile-name> no sticky-mac
The following example shows how to enable Sticky MAC:
(host)(config)# interface-profile port-security-profile PSP no sticky-mac
The following example shows how to configure a Sticky MAC action in case of a Sticky MAC violation:
(host) (Port security profile “<profile-name>”) #sticky-mac action shutdown auto-recovery-time 10
Viewing Sticky MAC
Execute the following command to view the Sticky MAC addresses on a Mobility Access Switch:
(host) show mac-address-table sticky
Execute the following command to view the Sticky MAC addresses on a VLAN:
(host) show mac-address-table vlan <id> sticky
Execute the following command to view the Sticky MAC addresses on an interface:
(host) show mac-address-table interface <interface-name> sticky
Verifying Sticky MAC Configuration
Execute the following command to verify the Sticky MAC configuration:
(host) #show interface-profile port-security-profile <profile-name>
The following command verifies the sample configuration:
(host) #show interface-profile port-security-profile profile1stky
Port security profile “profile1stky”
——————————
Parameter Value
——— —–
IPV6 RA Guard Action N/A
IPV6 RA Guard Auto Recovery Time N/A
MAC Limit N/A
MAC Limit Action N/A
MAC Limit Auto Recovery Time N/A
Sticky MAC Enabled
Sticky MAC Action Shutdown
Sticky MAC Auto Recovery Time 10 Seconds
Trust DHCP No
Port Loop Protect N/A
Port Loop Protect Auto Recovery Time N/A
IP Source Guard N/A
Dynamic Arp Inspection N/A
Clearing Sticky MAC Addresses
Execute the following command to remove the Sticky MAC addresses on a Mobility Access Switch:
(host) clear mac-address-table sticky
Execute the following command to remove the Sticky MAC addresses on a VLAN:
(host) clear mac-address-table vlan <id> sticky
Execute the following command to remove the Sticky MAC addresses on an interface:
(host) clear mac-address-table interface <interface-name> sticky
Execute the following command to remove a specific Sticky MAC address on a VLAN:
(host) clear mac-address-table vlan <id> mac <mac-address> sticky
Execute the following command to remove a specific Sticky MAC address on an interface:
(host) clear mac-address-table interface <interface-name> mac <mac address> sticky
Execute the following command to remove a specific Sticky MAC address on a VLAN port:
(host) clear mac-address-table vlan <id> interface <interface name> sticky
Configuring IP Source Guard
The IPSG functionality can be configured as part of the port level security configuration. This profile can be attached to the interface.
Use the following command to configure the IPSG:
(host)(config)# interface-profile port-security-profile <profile-name>
ip-src-guard
Verifying IP Source Guard
You can use the following command to display all the interface on which IPSG is enabled, and the type of IPSG filter:
(host) #show ip source-guard
IPSG interface Info
——————-
Interface IPSG
———- —-
GE0/0/12 Enabled
GE0/0/20 Enabled
GE1/0/20 Enabled
GE1/0/24 Enabled
GE2/0/16 Enabled
GE2/0/20 Enabled
GE3/0/8 Enabled
GE3/0/20 Enabled
You can use the following command to display if IPSG is enabled on a specific interface, along with type of filter:
(host) #show ip source-guard interface gigabitethernet 0/0/12 Shows if ipsg is enabled on specific interface, along with type of filter
IPSG interface Info
——————-
Interface IPSG MAC Binding
———- —- ———–
GE0/0/12 Enabled Disabled
You can use the following command to display details about the IP and MAC combination:
(host) #show ip source-guard interface gigabitethernet 0/0/12 detail
IPSG allowed users on the interface
———————————–
IP Address Mac Address VLAN
———- ———– —-
172.2.1.255 NA 2
You can use the following command to verify the IPSG configuration:
(host) #show interface-profile port-security-profile techpubs
Port security profile “techpubs”
—————————
Parameter Value
——— —–
IPV6 RA Guard Action N/A
IPV6 RA Guard Auto Recovery Time N/A
MAC Limit N/A
MAC Limit Action N/A
MAC Limit Auto Recovery Time N/A
Trust DHCP No
Port Loop Protect N/A
Port Loop Protect Auto Recovery Time N/A
Sticky MAC N/A
IP Source Guard Enabled
IP Source Guard with MAC binding N/A
Dynamic Arp Inspection N/A
Configuring DAI
The DAI functionality can be configured as part of the port level security configuration. This profile can be attached to the interface.
You can use the following command to configure the DIA:
(host)(config)# interface-profile port-security-profile <profile-name>
dynamic-arp-inspection
Verifying DAI
You can use the following command to verify the DAI configuration:
(host) #show interface-profile port-security-profile abc
Port security profile “abc”
—————————
Parameter Value
——— —–
IPV6 RA Guard Action N/A
IPV6 RA Guard Auto Recovery Time N/A
MAC Limit N/A
MAC Limit Action N/A
MAC Limit Auto Recovery Time N/A
Trust DHCP No
Port Loop Protect N/A
Port Loop Protect Auto Recovery Time N/A
Sticky MAC N/A
Dynamic Arp Inspection Enabled
Attaching Port Security Profile to Interface
To enable the Port Security functionality on an interface, you must attach a port-security profile to it. Use the following commands to associate a port-security profile with an interface:
For Gigabitethernet:
(host) (config) #interface gigabitethernet <slot/mod/port>
(host) (gigabitethernet “<slot/mod/port>”) #port-security-profile <profile-name>
For Port-channel:
(host) (config) #interface port-channel <id>
(host) (port-channel “<id>”) #port-security-profile <profile-name>
Viewing Port Errors
Use the following command to view the list of ports that are detected with port errors and the time at which they will be recovered automatically, if auto-recovery is enabled:
(host) #show port-error-recovery
Layer-2 Interface Error Information
———————————–
Interface Error Recovery Time
——— —– ————-
Pc5 Shutdown (Loop Detected) 2012-02-08 16:42:45 (PST)
GE0/0/42 Shutdown (Loop Detected) No Auto recovery
Pc1 Shutdown (Loop Detected) 2012-02-07 16:45:40 (PST)
Pc2 Shutdown (RA Guard) 2012-02-08 16:42:45 (PST)
GE0/0/14 Log (Mac Limit Exceeded) No Auto recovery
GE0/0/2 Drop (DHCP Trust Error) 2012-02-07 16:45:40 (PST)
GE0/0/5 Log (MAC Limit exceed) No Auto recovery
Drop (RA guard) No Auto recovery
GE1/0/24 Shutdown (BPDU received) 2012-10-18 11:25:17 (PST)
No Auto Recovery
Recovering Ports Manually
Use the CLI to manually recover the port errors. To recover the ports on a specific interface execute the following command:
(host) #clear port-error-recovery interface <interface-name>
The following command clears the errors on gigabitethernet 0/0/42:
(host) #clear port-error-recovery interface gigabitethernet 0/0/42
To clear the port errors on all interfaces execute the following command:
(host) #clear port-error-recovery
Comments (0)