Port Security on Aruba Switches

Port Security on Aruba Switches

January 30, 2020, Author: Taylor

Configuring Port Security Functionality 

The port security functionality will be configured as part of the port level security configuration. This profile can be attached to the interface. 

Configuring RA Guard Functionality  

RA Guard functionality can be enabled at the port level. Configure the RA guard as part of the port level security configuration and attach to the interface. 

(host)(config)# interface-profile port-security-profile <profile-name> 

ipv6-ra-guard action {drop|shutdown}auto-recovery-time <recovery-time> 

The following example shows how to enable the RA Guard functionality: 

(host)(config)# interface-profile port-security-profile RA-Guard1 

ipv6-ra-guard action shutdown auto-recovery-time 60 

Configuring DHCP Trust Functionality  

The DHCP trust functionality will be configured as part of the port level security configuration. This profile can be attached to the interface. 

DHCP Trust can be enabled on any interface. By default, the DHCP Trust setting in a port-security-profile is to filter (block) these OFFER and ACK messages. You must explicitly enable DHCP Trust (trust dhcp) in the port-security-profile (if applied to a port) to allow these DHCP messages from valid devices.  

(host)(config)# interface-profile port-security-profile <profile-name> 

trust dhcp 

When no trust dhcp is configured the DHCP packets are dropped and a message is logged. 

The following example shows how to enable the DHCP Trust functionality: 

(host)(config)# interface-profile port-security-profile ps1 

trust dhcp 

Configuring Loop Protect Functionality  

Port Loop Protect functionality is configured as part of the port level security configuration. You can attach the port-security profile to any Layer 2 interface. Enabling Loop Protect will disable a port when it detects a loop. You can automatically re-enable the port by setting the auto-recovery option. Otherwise, you can recover the port manually using the clear command. 

Use the following CLI commands to enable Loop Protect and the auto-recovery option: 

(host) (config) #interface-profile port-security-profile <profile-name> 

(host) (Port security profile “<profile-name>”) #loop-protect auto-recovery-time <time in seconds> 

Set a value for auto-recovery-time to enable the auto-recovery option. The port automatically re-enables and recovers from the error after the specified time. By default, auto-recovery is disabled. Auto-recovery remains disabled, if you enable loop-protect without setting the auto-recovery-time option or by setting the value to 0. 

Use the following command to disable the auto-recovery option: 

(host) (Port security profile “<profile-name>”) #no loop-protect auto-recovery-time 

Use the following command to disable the Loop Protect functionality: 

(host) (Port security profile “<profile-name>”) #no loop-protect 

It is recommended that you disable Spanning Tree using the following command before enabling Loop Protect on an interface: 

(host) (config) #spanning-tree no mode 

Otherwise, you will see the following warning message: 

Warning: Port Loop Protect configured in the port-security-profile, will be inactive. It becomes active when MSTP/PVST is disabled. 

Configuring MAC Limit Functionality 

The MAC Limit functionality will be configured as part of the port level security configuration. You can attach this profile to an interface. 

Use the following command to configure the MAC Limit: 

(host)(config)# interface-profile port-security-profile <profile-name> 

mac-limit <limit> action {drop|log|shutdown} 

auto-recovery-time <time in seconds>  

The following example shows how to enable the MAC Limit functionality: 

(host)(config)# interface-profile port-security-profile MAC_Limit 

mac-limit 30 action drop 

auto-recovery-time 50 

The maximum value for auto-recovery-time for all the port security functionalities is 65,535 seconds. You can apply auto-recovery-time option only if the action is shutdown. 

MAC Limit on Untrusted Ports 

The Mobility Access Switch allows you to configure the MAC limit on untrusted ports. You can also choose to configure the action to take when the number of MAC addresses on the untrusted ports exceeds the configured limit. By default, the MAC limit option for a port is disabled.  

Important Points to Note: 

  You can choose to configure log, drop, or shutdown option as action to be taken when the number of MAC addresses on the port exceeds the configured MAC limit. 
  When you configure the log action, a syslog is generated and the interface is marked as interface error log; any new MAC addresses beyond the configured MAC limit are dropped by the software. 
  When you configure the drop action, a syslog is generated and the interface is marked as interface error drop; any new MAC addresses beyond the configured MAC limit are dropped by the hardware. 
  When you configure the shutdown action, a syslog is generated and the interface is marked as interface error shutdown; the interface is brought down; recovery can be done either by clearing the interface error from CLI or configuring the auto-recovery-time option to bring the port UP on timer expiry. 

You need to enable the logs using logging level errors or debug security. 

You can enable and configure the MAC limit for a port by using the CLI. 

Configuring MAC Limit and Action 

You can enable the MAC Limit option on Mobility Access Switches using the following CLI command: 

(host) (config) #aaa profile <profile-name> 

(host) (AAA Profile “<profile-name>”) #mac-limit <mac_limit> action {log | drop | shutdown [auto-recovery-time <timeout>]} 

The preceding command enables the MAC limit option, includes the number of MAC addresses that can be allowed on an untrusted port, and the action to take when the number of MAC addresses exceeds the configured limit. 

For <mac_limit>, the allowed range is 1–512. 

For <timeout>, the default value is 0, which means no auto-recovery; the allowed range of values (in seconds) is 0–65535.  

The auto-recovery timer applies only when you have configured the shutdown action. 

The port error recovery is cleared during the following events: 

  The port is changed from untrusted to trusted type. 
  The linking of AAA profile is removed from the gigabitethernet, vlan-profile, or interface-group profile. 
  The MAC address count on a port goes below the configured MAC limit due to user entry deletion. 

You can enable and configure the MAC limit on an AAA profile and link the profile to a gigabit ethernet interface, vlan-profile, or interface-group profile. 

(host) (config) #interface gigabitethernet <slot>/<module>/<port> 

(host) (gigabitethernet “<slot>/<module>/<port>”) #aaa-profile <profile-name> 

Verifying Enforced Action on MAC Limit Exceed 

You can verify if the configured action is enforced when the number of MAC addresses exceeds the configured MAC limit on untrusted port. To verify, execute the following show command: 

(host) #show port-error-recovery untrusted 

Clearing Log/Drop/Shutdown Errors on Interface 

You can execute the following clear command to clear the log/drop/shutdown errors on an interface: 

(host) #clear port-error-recovery untrusted interface gigabitethernet <slot>/<module>/<port> 

You can execute the following clear command to clear the log/drop/shutdown errors on all untrusted ports: 

(host) #clear port-error-recovery untrusted 

Configuring Sticky MAC 

The Sticky MAC learning is configured as part of the port-level security configuration. You can attach this profile to an interface. 

Starting from ArubaOS 7.4.0.2, the Mobility Access Switch allows you to configure the Sticky MAC feature with an action to take when a Sticky MAC violation occurs. The allowed actions are: 

  Drop—Drops any new MAC addresses trying to connect to the interface. This is the default option. 
  Shutdown—Shuts down the port on which the sticky MAC violation occurs. You can also optionally set an auto-recovery time between 0-65,535 seconds for the interface to recover. 

Enabling Sticky MAC 

Use the following command to enable Sticky MAC: 

(host)(config)# interface-profile port-security-profile <profile-name> sticky-mac 

Use the following command to configure a Sticky MAC action: 

(host) (Port security profile “<profile-name>”) #sticky-mac action [drop | shutdown autorecovery-time <1-65535>] 

The following example shows how to enable Sticky MAC: 

(host)(config)# interface-profile port-security-profile PSP sticky-mac 

Use the following command to disable Sticky MAC: 

(host)(config)# interface-profile port-security-profile <profile-name> no sticky-mac 

The following example shows how to enable Sticky MAC: 

(host)(config)# interface-profile port-security-profile PSP no sticky-mac 

The following example shows how to configure a Sticky MAC action in case of a Sticky MAC violation: 

(host) (Port security profile “<profile-name>”) #sticky-mac action shutdown auto-recovery-time 10 

Viewing Sticky MAC  

Execute the following command to view the Sticky MAC addresses on a Mobility Access Switch: 

(host) show mac-address-table sticky  

Execute the following command to view the Sticky MAC addresses on a VLAN: 

(host) show mac-address-table vlan <id> sticky  

Execute the following command to view the Sticky MAC addresses on an interface: 

(host) show mac-address-table interface <interface-name> sticky  

Verifying Sticky MAC Configuration 

Execute the following command to verify the Sticky MAC configuration: 

(host) #show interface-profile port-security-profile <profile-name> 

The following command verifies the sample configuration: 

(host) #show interface-profile port-security-profile profile1stky 

Port security profile “profile1stky” 

—————————— 

Parameter Value 

——— —– 

IPV6 RA Guard Action N/A 

IPV6 RA Guard Auto Recovery Time N/A 

MAC Limit N/A 

MAC Limit Action N/A 

MAC Limit Auto Recovery Time N/A 

Sticky MAC Enabled  

Sticky MAC Action Shutdown  

Sticky MAC Auto Recovery Time 10 Seconds  

Trust DHCP No 

Port Loop Protect N/A 

Port Loop Protect Auto Recovery Time N/A 

IP Source Guard N/A 

Dynamic Arp Inspection N/A 

Clearing Sticky MAC Addresses 

Execute the following command to remove the Sticky MAC addresses on a Mobility Access Switch: 

(host) clear mac-address-table sticky  

Execute the following command to remove the Sticky MAC addresses on a VLAN:  

(host) clear mac-address-table vlan <id> sticky  

Execute the following command to remove the Sticky MAC addresses on an interface: 

(host) clear mac-address-table interface <interface-name> sticky  

Execute the following command to remove a specific Sticky MAC address on a VLAN: 

(host) clear mac-address-table vlan <id> mac <mac-address> sticky  

Execute the following command to remove a specific Sticky MAC address on an interface: 

(host) clear mac-address-table interface <interface-name> mac <mac address> sticky  

Execute the following command to remove a specific Sticky MAC address on a VLAN port: 

(host) clear mac-address-table vlan <id> interface <interface name> sticky  

Configuring IP Source Guard 

The IPSG functionality can be configured as part of the port level security configuration. This profile can be attached to the interface. 

Use the following command to configure the IPSG: 

(host)(config)# interface-profile port-security-profile <profile-name> 

ip-src-guard  

Verifying IP Source Guard 

You can use the following command to display all the interface on which IPSG is enabled, and the type of IPSG filter: 

(host) #show ip source-guard 

IPSG interface Info 

——————- 

Interface IPSG  

———- —-  

GE0/0/12 Enabled  

GE0/0/20 Enabled  

GE1/0/20 Enabled  

GE1/0/24 Enabled  

GE2/0/16 Enabled  

GE2/0/20 Enabled  

GE3/0/8 Enabled  

GE3/0/20 Enabled  

You can use the following command to display if IPSG is enabled on a specific interface, along with type of filter: 

(host) #show ip source-guard interface gigabitethernet 0/0/12  Shows if ipsg is enabled on specific interface, along with type of filter 

IPSG interface Info 

——————- 

Interface IPSG MAC Binding 

———- —- ———– 

GE0/0/12 Enabled Disabled 

You can use the following command to display details about the IP and MAC combination: 

(host) #show ip source-guard interface gigabitethernet 0/0/12 detail 

IPSG allowed users on the interface 

———————————– 

IP Address Mac Address VLAN 

———- ———– —- 

172.2.1.255 NA 2 

You can use the following command to verify the IPSG configuration: 

(host) #show interface-profile port-security-profile techpubs 

Port security profile “techpubs” 

————————— 

Parameter Value 

——— —– 

IPV6 RA Guard Action N/A 

IPV6 RA Guard Auto Recovery Time N/A 

MAC Limit N/A 

MAC Limit Action N/A 

MAC Limit Auto Recovery Time N/A 

Trust DHCP No 

Port Loop Protect N/A 

Port Loop Protect Auto Recovery Time N/A 

Sticky MAC N/A 

IP Source Guard Enabled 

IP Source Guard with MAC binding N/A 

Dynamic Arp Inspection N/A 

Configuring DAI 

The DAI functionality can be configured as part of the port level security configuration. This profile can be attached to the interface. 

You can use the following command to configure the DIA: 

(host)(config)# interface-profile port-security-profile <profile-name> 

dynamic-arp-inspection 

Verifying DAI 

You can use the following command to verify the DAI configuration: 

(host) #show interface-profile port-security-profile abc 

Port security profile “abc” 

————————— 

Parameter Value 

——— —– 

IPV6 RA Guard Action N/A 

IPV6 RA Guard Auto Recovery Time N/A 

MAC Limit N/A 

MAC Limit Action N/A 

MAC Limit Auto Recovery Time N/A 

Trust DHCP No 

Port Loop Protect N/A 

Port Loop Protect Auto Recovery Time N/A 

Sticky MAC N/A 

Dynamic Arp Inspection Enabled 

Attaching Port Security Profile to Interface 

To enable the Port Security functionality on an interface, you must attach a port-security profile to it. Use the following commands to associate a port-security profile with an interface: 

For Gigabitethernet: 

(host) (config) #interface gigabitethernet <slot/mod/port> 

(host) (gigabitethernet “<slot/mod/port>”) #port-security-profile <profile-name> 

For Port-channel: 

(host) (config) #interface port-channel <id> 

(host) (port-channel “<id>”) #port-security-profile <profile-name> 

Viewing Port Errors 

Use the following command to view the list of ports that are detected with port errors and the time at which they will be recovered automatically, if auto-recovery is enabled: 

(host) #show port-error-recovery 

Layer-2 Interface Error Information 

———————————– 

Interface Error Recovery Time 

——— —– ————- 

Pc5 Shutdown (Loop Detected) 2012-02-08 16:42:45 (PST) 

GE0/0/42 Shutdown (Loop Detected) No Auto recovery 

Pc1 Shutdown (Loop Detected) 2012-02-07 16:45:40 (PST) 

Pc2 Shutdown (RA Guard) 2012-02-08 16:42:45 (PST) 

GE0/0/14 Log (Mac Limit Exceeded) No Auto recovery 

GE0/0/2 Drop (DHCP Trust Error) 2012-02-07 16:45:40 (PST) 

GE0/0/5 Log (MAC Limit exceed) No Auto recovery 

Drop (RA guard) No Auto recovery 

GE1/0/24 Shutdown (BPDU received) 2012-10-18 11:25:17 (PST)  

No Auto Recovery 

Recovering Ports Manually 

Use the CLI to manually recover the port errors. To recover the ports on a specific interface execute the following command: 

(host) #clear port-error-recovery interface <interface-name> 

The following command clears the errors on gigabitethernet 0/0/42: 

(host) #clear port-error-recovery interface gigabitethernet 0/0/42 

To clear the port errors on all interfaces execute the following command: 

(host) #clear port-error-recovery 

Comments (0)