10-Port Security-Port Binding Configuration.pdf. 3com 4200G 24-Port, 4500G PWR 24-Port, 4200G 48-Port, 4200G 12-Port

3com 4200G 24-Port is a powerful and versatile switch that provides a wide range of features and capabilities. It is ideal for use in small and medium-sized businesses, as well as in enterprise networks. 3com 4200G 24-Port offers a combination of high performance, reliability, and security, making it an excellent choice for a variety of applications.

PDF

Document

1 Port Security Configuration······················································································································1-1

Port Security Overview····························································································································1-1

Introduction······································································································································1-1

Port Security Features·····················································································································1-1

Port Security Modes ························································································································1-1

Port Security Configuration Task List······································································································1-4

Enabling Port Security ·····················································································································1-5

Setting the Maximum Number of MAC Addresses Allowed on a Port ············································1-5

Setting the Port Security Mode········································································································1-6

Configuring Port Security Features ·································································································1-7

Ignoring the Authorization Information from the RADIUS Server····················································1-8

Configuring Security MAC Addresses ·····························································································1-9

Displaying and Maintaining Port Security Configuration·······································································1-10

Port Security Configuration Example ····································································································1-10

Port Security Configuration Example ····························································································1-10

2 Port Binding Configuration ······················································································································2-1

Port Binding Overview·····························································································································2-1

Introduction······································································································································2-1

Configuring Port Binding ·················································································································2-1

Displaying and Maintaining Port Binding Configuration··········································································2-1

Port Binding Configuration Example ·······································································································2-2

Port Binding Configuration Example ·······························································································2-2

Port Security Configuration

z z z z

When configuring port security, go to these sections for information you are interested in:

Port Security Overview

Port Security Configuration Task List

Displaying and Maintaining Port Security Configuration

Port Security Configuration Example

Port Security Overview

Introduction

Port security is a security mechanism for network access control. It is an expansion to the current

802.1x and MAC address authentication.

Port security allows you to define various security modes that enable devices to learn legal source MAC addresses, so that you can implement different network security management as needed.

With port security enabled, packets whose source MAC addresses cannot be learned by your switch in a security mode are considered illegal packets, The events that cannot pass 802.1x authentication or

MAC authentication are considered illegal.

With port security enabled, upon detecting an illegal packet or illegal event, the system triggers the corresponding port security features and takes pre-defined actions automatically. This reduces your maintenance workload and greatly enhances system security and manageability.

Port Security Features

The following port security features are provided: z z z

NTK (need to know) feature: By checking the destination MAC addresses in outbound data frames on the port, NTK ensures that the switch sends data frames through the port only to successfully authenticated devices, thus preventing illegal devices from intercepting network data.

Intrusion protection feature: By checking the source MAC addresses in inbound data frames or the username and password in 802.1x authentication requests on the port, intrusion protection detects illegal packets or events and takes a pre-set action accordingly. The actions you can set include: disconnecting the port temporarily/permanently, and blocking packets with the MAC address specified as illegal.

Trap feature: When special data packets (generated from illegal intrusion, abnormal login/logout or other special activities) are passing through the switch port, Trap feature enables the switch to send Trap messages to help the network administrator monitor special activities.

Port Security Modes

Table 1-1 describes the available port security modes:

1-1

Table 1-1

Description of port security modes

Security mode noRestriction autolearn secure

In this mode, access to the port is not restricted.

Description Feature

In this mode, neither the

NTK nor the intrusion protection feature is triggered.

In this mode, the port automatically learns

MAC addresses and changes them to security

MAC addresses.

This security mode will automatically change to the

secure

mode after the amount of security MAC addresses on the port reaches the maximum number configured with the

port-security max-mac-count

command.

After the port security mode is changed to the

secure

mode, only those packets whose source MAC addresses are security MAC addresses learned or dynamic MAC addresses configured can pass through the port.

In either mode, the device will trigger NTK and intrusion protection upon detecting an illegal packet.

In this mode, the port is disabled from learning

MAC addresses.

Only those packets whose source MAC addresses are security MAC addresses learned and static or dynamic MAC addresses can pass through the port.

1-2

Security mode userlogin

Description Feature

In this mode, port-based 802.1x authentication is performed for access users.

In this mode, neither NTK nor intrusion protection will be triggered.

userLoginSecure

MAC-based 802.1x authentication is performed on the access user. The port is enabled only after the authentication succeeds. When the port is enabled, only the packets of the successfully authenticated user can pass through the port.

In this mode, only one 802.1x-authenticated user is allowed to access the port.

When the port changes from the

noRestriction

mode to this security mode, the system automatically removes the existing dynamic MAC address entries and authenticated MAC address entries on the port.

In any of these modes, the device triggers the NTK and Intrusion Protection features upon detecting an illegal packet or illegal event.

userLoginSecureExt

This mode is similar to the

userLoginSecure

mode, except that there can be more than one

802.1x-authenticated user on the port.

userLoginWithOUI macAddressWithRa dius macAddressOrUser

LoginSecure macAddressOrUser

LoginSecureExt

This mode is similar to the

userLoginSecure

mode, except that, besides the packets of the single 802.1x-authenticated user, the packets whose source MAC addresses have a particular OUI are also allowed to pass through the port.

When the port changes from the normal mode to this security mode, the system automatically removes the existing dynamic/authenticated MAC address entries on the port.

In this mode, MAC address–based authentication is performed for access users.

In this mode, both MAC authentication and

802.1x authentication can be performed, but

802.1x authentication has a higher priority.

802.1x authentication can still be performed on an access user who has passed MAC authentication.

No MAC authentication is performed on an access user who has passed 802.1x authentication.

In this mode, there can be only one

802.1x-authenticated user on the port, but there can be several MAC-authenticated users.

This mode is similar to the

macAddressOrUserLoginSecure

mode, except that there can be more than one

802.1x-authenticated user on the port. .

1-3

Security mode macAddressElseUs erLoginSecure macAddressElseUs erLoginSecureExt macAddressAndUs erLoginSecure macAddressAndUs erLoginSecureExt

Description

In this mode, a port performs MAC authentication of an access user first. If the authentication succeeds, the user is authenticated. Otherwise, the port performs

802.1x authentication of the user.

In this mode, there can be only one

802.1x-authenticated user on the port, but there can be several MAC-authenticated users.

This mode is similar to the

macAddressElseUserLoginSecure

mode, except that there can be more than one

802.1x-authenticated user on the port.

In this mode, a port firstly performs MAC authentication for a user and then performs

802.1x authentication for the user if the user passes MAC authentication. The user can access the network after passing the two authentications.

In this mode, up to one user can access the network.

This mode is similar to the

macAddressAndUserLoginSecure

mode, except that more than one user can access the network.

Feature

z z

When the port operates in the

userlogin-withoui

mode, Intrusion Protection will not be triggered even if the OUI address does not match.

On a port operating in either the

macAddressElseUserLoginSecure

mode or the

macAddressElseUserLoginSecureExt

mode, Intrusion Protection is triggered only after both

MAC-based authentication and 802.1x authentication on the same packet fail.

Port Security Configuration Task List

Complete the following tasks to configure port security:

Task

Enabling Port Security

Setting the Maximum Number of MAC Addresses Allowed on a

Port

Setting the Port Security Mode

Configuring Port

Security

Features

Configuring the NTK feature

Configuring intrusion protection

Configuring the Trap feature

Required

Remarks

Optional

Required

Optional

Choose one or more features as required.

1-4

Task

Ignoring the Authorization Information from the RADIUS Server

Optional

Remarks

Configuring Security MAC Addresses

Optional

Enabling Port Security

Configuration Prerequisites

Before enabling port security, you need to disable 802.1x and MAC authentication globally.

Enabling Port Security

Follow these steps to enable port security:

To do...

Enter system view

Use the command... system-view

Enable port security

port-security enable

Remarks

—

Required

Disabled by default

Enabling port security resets the following configurations on the ports to the defaults (shown in parentheses below): z z

802.1x (disabled), port access control method (

macbased

), and port access control mode (

auto

)

MAC authentication (disabled)

In addition, you cannot perform the above-mentioned configurations manually because these configurations change with the port security mode automatically. z z

For details about 802.1x configuration, refer to the sections covering 802.1x and System-Guard.

For details about MAC authentication configuration, refer to the sections covering MAC authentication configuration.

Setting the Maximum Number of MAC Addresses Allowed on a Port

z z

Port security allows more than one user to be authenticated on a port. The number of authenticated users allowed, however, cannot exceed the configured upper limit.

By setting the maximum number of MAC addresses allowed on a port, you can

Control the maximum number of users who are allowed to access the network through the port

Control the number of Security MAC addresses that can be added with port security

1-5

This configuration is different from that of the maximum number of MAC addresses that can be leaned by a port in MAC address management.

Follow these steps to set the maximum number of MAC addresses allowed on a port:

To do...

Enter system view

Use the command... system-view

—

Remarks

Enter Ethernet port view

interface

interface-type

interface-number

—

Set the maximum number of

MAC addresses allowed on the port

port-security max-mac-count

count-value

Required

Not limited by default

Setting the Port Security Mode

Follow these steps to set the port security mode:

To do...

Enter system view

Set the OUI value for user authentication

Enter Ethernet port view

Set the port security mode

Use the command... system-view

port-security oui OUI-value

index index-value

Remarks

—

Optional

userLoginWithOUI

mode, a port supports one 802.1x user plus one user whose source

MAC address has a specified

OUI value.

interface

interface-type

interface-number

port-security port-mode

{

autolearn

mac-and-userlogin-secure

mac-and-userlogin-secure-e xt

mac-authentication

mac-else-userlogin-secure

mac-else-userlogin-secure-e xt

secure

userlogin

userlogin-secure

userlogin-secure-ext

userlogin-secure-or-mac

userlogin-secure-or-mac-ext

| userlogin-withoui }

—

Required

By default, a port operates in

noRestriction

mode. In this mode, access to the port is not restricted.

You can set a port security mode as needed.

1-6

z z z z

Before setting the port security mode to

autolearn

, you need to set the maximum number of MAC addresses allowed on the port with the

port-security max-mac-count

command.

When the port operates in the

autoLearn

mode, you cannot change the maximum number of MAC addresses allowed on the port.

After you set the port security mode to

autolearn

, you cannot configure any static or blackhole

MAC addresses on the port.

If the port is in a security mode other than

noRestriction

, before you can change the port security mode, you need to restore the port security mode to

noRestriction

with the

undo port-security port-mode

command. z z z

If the port-security port-mode mode command has been executed on a port, none of the following can be configured on the same port:

Maximum number of MAC addresses that the port can learn

Reflector port for port mirroring

Link aggregation

Configuring Port Security Features

Configuring the NTK feature

Follow these steps to configure the NTK feature:

To do...

Enter system view

Enter Ethernet port view

Configure the NTK feature

Use the command... system-view interface

interface-type interface-number

port-security ntk-mode

{

ntkonly

ntk-withbroadcasts

ntk-withmulticasts

}

Remarks

—

Required

By default, NTK is disabled on a port, namely all frames are allowed to be sent.

Currently, the 4200G do not support the

ntkonly

NTK feature.

1-7

Configuring intrusion protection

Follow these steps to configure the intrusion protection feature:

To do...

Enter system view

Enter Ethernet port view

Use the command... system-view interface

interface-type interface-number

Set the corresponding action to be taken by the switch when intrusion protection is triggered

port-security intrusion-mode

{

blockmac

disableport

disableport-temporarily

}

Return to system view

Set the timer during which the port remains disabled

quit port-security timer disableport

timer

Remarks

—

Required

By default, intrusion protection is disabled.

—

Optional

20 seconds by default

The

port-security timer disableport

command is used in conjunction with the

port-security intrusion-mode disableport-temporarily

command to set the length of time during which the port remains disabled.

If you configure the NTK feature and execute the

port-security intrusion-mode blockmac

command on the same port, the switch will be unable to disable the packets whose destination MAC address is illegal from being sent out that port; that is, the NTK feature configured will not take effect on the packets whose destination MAC address is illegal.

Configuring the Trap feature

Follow these steps to configure port security trapping:

To do...

Enter system view

Enable sending traps for the specified type of event

Use the command... system-view

—

Remarks port-security trap

{

addresslearned

dot1xlogfailure

dot1xlogoff

dot1xlogon

intrusion

ralmlogfailure

ralmlogoff

ralmlogon

}

Required

By default, no trap is sent.

Ignoring the Authorization Information from the RADIUS Server

After an 802.1x user or MAC-authenticated user passes Remote Authentication Dial-In User Service

(RADIUS) authentication, the RADIUS server delivers the authorization information to the device. You can configure a port to ignore the authorization information from the RADIUS server.

1-8

Follow these steps to configure a port to ignore the authorization information from the RADIUS server:

To do...

Enter system view

Enter Ethernet port view

Use the command... system-view interface

interface-type interface-number

—

Remarks

Ignore the authorization information from the RADIUS server

port-security authorization ignore

Required

By default, a port uses the authorization information from the RADIUS server.

Configuring Security MAC Addresses

Security MAC addresses are special MAC addresses that never age out. One security MAC address can be added to only one port in the same VLAN so that you can bind a MAC address to one port in the same VLAN.

Security MAC addresses can be learned by the auto-learn function of port security or manually configured. z z

Before adding security MAC addresses to a port, you must configure the port security mode to

autolearn

. After this configuration, the port changes its way of learning MAC addresses as follows. z

The port deletes original dynamic MAC addresses;

If the amount of security MAC addresses has not yet reach the maximum number, the port will learn new MAC addresses and turn them to security MAC addresses;

If the amount of security MAC addresses reaches the maximum number, the port will not be able to learn new MAC addresses and the port mode will be changed from

autolearn

secure

The security MAC addresses manually configured are written to the configuration file; they will not get lost when the port is up or down. As long as the configuration file is saved, the security MAC addresses can be restored after the switch reboots.

Configuration prerequisites

z z z

Port security is enabled.

The maximum number of security MAC addresses allowed on the port is set.

The security mode of the port is set to

autolearn

Configuring a security MAC address

Follow these steps to configure a security MAC address:

To do...

Enter system view

Use the command... system-view

—

Remarks

1-9

To do...

Add a security

MAC address

In system view

In Ethernet port view

Use the command... Remarks

mac-address security mac-address

interface interface-type interface-number vlan

vlan-id

interface

mac-address security mac-address vlan

vlan-id

interface-type interface-number

Either is required.

By default, no security MAC address is configured.

Displaying and Maintaining Port Security Configuration

To do...

Display information about port security configuration

Display information about security MAC address configuration

Use the command... display port-security

[ interface interface-list ]

display mac-address security

[

interface

interface-type interface-number

] [ vlan vlan-id ]

[

count

]

Remarks

Available in any view

Port Security Configuration Example

Network requirements

Implement access user restrictions through the following configuration on GigabitEthernet 1/0/1 of the switch. z z z

Allow a maximum of 80 users to access the port without authentication and permit the port to learn and add the MAC addresses of the users as security MAC addresses.

To ensure that Host can access the network, add the MAC address 0001-0002-0003 of Host as a security MAC address to the port in VLAN 1.

After the number of security MAC addresses reaches 80, the port stops learning MAC addresses. If any frame with an unknown MAC address arrives, intrusion protection is triggered and the port will be disabled and stay silent for 30 seconds.

Network diagram

Figure 1-1

Network diagram for port security configuration

Configuration procedure

# Enter system view.

<Switch> system-view

# Enable port security.

1-10

[Switch] port-security enable

# Enter GigabitEthernet1/0/1 port view.

[Switch] interface GigabitEthernet 1/0/1

# Set the maximum number of MAC addresses allowed on the port to 80.

[Switch-GigabitEthernet1/0/1] port-security max-mac-count 80

# Set the port security mode to

autolearn

[Switch-GigabitEthernet1/0/1] port-security port-mode autolearn

# Add the MAC address 0001-0002-0003 of Host as a security MAC address to the port in VLAN 1.

[Switch-GigabitEthernet1/0/1] mac-address security 0001-0002-0003 vlan 1

# Configure the port to be silent for 30 seconds after intrusion protection is triggered.

[Switch-GigabitEthernet1/0/1] port-security intrusion-mode disableport-temporarily

[Switch-GigabitEthernet1/0/1] quit

[Switch] port-security timer disableport 30

1-11

Port Binding Configuration

z z z

When configuring port binding, go to these sections for information you are interested in:

Port Binding Overview

Displaying and Maintaining Port Binding Configuration

Port Binding Configuration Example

Port Binding Overview

Introduction

Port binding enables the network administrator to bind the MAC address and IP address of a user to a specific port. After the binding, the switch forwards only the packets received on the port whose MAC address and IP address are identical with the bound MAC address and IP address. This improves network security and enhances security monitoring.

Configuring Port Binding

Follow these steps to configure port binding:

To do...

Enter system view

Use the command... system-view

Bind the MAC address and

IP address of a user to a specific port

In system view

In Ethernet port view

Remarks

—

am user-bind mac-addr mac-address

ip-addr ip-address interface

interface-type interface-number

interface

interface-type interface-number

Either is required.

By default, no user

MAC address or IP address is bound to a port.

am user-bind mac-addr mac-address

ip-addr ip-address z z

An IP address can be bound to only one port at a time.

A MAC address can be bound to only one port at a time.

Displaying and Maintaining Port Binding Configuration

To do...

Display port binding information

Use the command... display am user-bind

[ interface interface-type

interface-number

| ip-addr ip-address |

mac-addr

mac-address

]

Remarks

Available in any view

2-1

Port Binding Configuration Example

Network requirements

It is required to bind the MAC and IP addresses of Host A to GigabitEthernet 1/0/1 on Switch A, so as to prevent malicious users from using the IP address they steal from Host A to access the network.

Network diagram

Figure 2-1

Network diagram for port binding configuration

Configuration procedure

Configure Switch A as follows:

# Enter system view.

<SwitchA> system-view

# Enter GigabitEthernet 1/0/1 port view.

[SwitchA] interface GigabitEthernet 1/0/1

# Bind the MAC address and the IP address of Host A to GigabitEthernet 1/0/1.

[SwitchA-GigabitEthernet1/0/1] am user-bind mac-addr 0001-0002-0003 ip-addr 10.12.1.1

2-2

Key features

High performance: The switch provides wire-speed performance on all ports, ensuring fast and reliable data transfer.
Reliability: The switch is designed for reliability and uptime, with features such as redundant power supplies and hot-swappable modules.
Security: The switch offers a range of security features, including access control lists (ACLs), port security, and MAC address filtering.
Flexibility: The switch is flexible and scalable, with support for a variety of configurations and expansion options.
Easy to manage: The switch is easy to manage, with a user-friendly web-based interface and a command-line interface (CLI).
Affordable: The switch is affordably priced, making it an excellent value for money.

Frequently asked questions

As the name suggests, the 3com 4200G 24-Port switch has 24 ports.

The 3com 4200G 24-Port switch supports wire-speed performance on all ports, which means that it can handle data transfer at the maximum speed of the connected devices.

Yes, the 3com 4200G 24-Port switch supports VLANs, which allows you to segment your network into multiple virtual networks.

No, the 3com 4200G 24-Port switch does not support Power over Ethernet (PoE), which means that it cannot provide power to connected devices.

The 3com 4200G 24-Port switch can be managed through a user-friendly web-based interface or a command-line interface (CLI).

User questions

Patricia M.

How is the SNMP agent enabled on this switch?

The document provides information on how to configure SNMP, including applying ACLs, community names, group names and usernames, but it doesn't directly detail enabling the snmp-agent in a single step. To configure network management users, you can set up community names, group names, or usernames under the snmp-agent, referencing specific ACLs as needed.

Patricia M.

What password control policies are available for device access?

Password control policies are available within the context of user authentication for different login methods (console, Telnet) and user level switching. For console port login, password authentication mode can be configured, setting a local password. Similarly, Telnet access can be controlled using password authentication. When scheme authentication is enabled, password settings and policies configured in the AAA scheme will apply.