107
Configuring port security
Port security provides MAC-based network access control. It prevents unauthorized access to the network
by checking the source MAC address of inbound traffic. It also prevents access to unauthorized devices
by checking the destination MAC address of outbound traffic.
Port security enables you to control MAC address learning and authentication on ports. The feature
makes sure that a port learns only legal source MAC addresses.
Upon receiving a frame, the port in a security mode searches the MAC address table for the source
MAC address. If a match is found, the port forwards the frame. If no match is found, the port learns the
MAC address or performs authentication, depending on the security mode.
If the frame is illegal, the port takes the pre-defined NTK, intrusion protection, or trapping action. A
frame is illegal if its source MAC address cannot be learned in a port security mode or if it is from a
client that has failed 802.1X or MAC authentication.
The port security feature can automatically take a pre-defined action on illegal frames. This automatic
mechanism enhances network security and reduces human intervention.
The security modes of the port security feature provide extended and combined use of 802.1X
authentication and MAC authentication. They apply to scenarios that require both 802.1X authentication
and MAC authentication. For scenarios that require only 802.1X authentication or MAC authentication,
HP recommends that you configure 802.1X authentication or MAC authentication rather than port
security. For more information about 802.1X and MAC authentication, see "
Configuring MAC authentication
Port security features
NTK
The NTK feature prevents traffic interception by checking the destination MAC address in the outbound
frames. The feature makes sure that frames are sent only to hosts that have passed authentication or
whose MAC addresses have been learned or configured on the access device.
Intrusion protection
The intrusion protection feature checks the source MAC address in inbound frames for illegal frames and
takes a pre-defined action on each detected illegal frame. The action can be disabling the port
temporarily, disabling the port permanently, or blocking frames from the illegal MAC address for 3
minutes (not user configurable).
Port security traps
You can configure the port security module to send traps for port security events such as login, logoff,
and MAC authentication. These traps help you monitor user behaviors.
Port security modes
Port security supports the following categories of security modes:
•
MAC learning control
—
Includes two modes:
autoLearn
and
secure
. MAC address learning is
permitted on a port in autoLearn mode and disabled in secure mode.