KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch

351

352

353

354

355

356

357

358

359

360

11 Port Security

Configuring

Planning port security

Plan your port security configuration and monitoring according to the following:

1. On which ports do you want port security?

2. Which devices (MAC addresses) are authorized on each port?

3. For each port, what security actions do you want? (The switch automatically blocks intruders

detected on that port from transmitting to the network.) You can configure the switch to (1)

send intrusion alarms to an SNMP management station and to (2) optionally disable the port

on which the intrusion was detected.

4. How do you want to learn of the security violation attempts the switch detects? You can use

one or more of these methods:

• Through network management (That is, do you want an SNMP trap sent to a net

management station when a port detects a security violation attempt?)

• Through the switch Intrusion Log, available through the CLI, menu, and WebAgent

• Through the Event Log (in the menu interface or through the CLI show log command)

Use the CLI or WebAgent to configure port security operating and address controls.

Use the global configuration level to execute port-security configuration commands.

Configuring port security

Using the CLI, you can:

• Configure port security and edit security settings.

• Add or delete devices from the list of authorized addresses for one or more ports.

• Clear the Intrusion flag on specific ports.

Syntax:

port-security

[e] <port-list> <learn-mode | address-limit | mac-address

| action | clear-intrusion-flag>

<port-list>

Specifies a list of one or more ports to which the port-security command applies.

learn-mode <continuous | static | configured |

limited-continuous>

For the specified port:

• Identifies the method for acquiring authorized addresses.

• On switches covered in this guide, automatically invokes eavesdrop protection,

see “Eavesdrop prevention” (page 398).

continuous

(Default): Appears in the factory-default setting or when you execute no port-security.

Allows the port to learn addresses from the device(s) to which it is connected. In

this state, the port accepts traffic from any device(s) to which it is connected.

Addresses learned in the learn continuous mode will "age out" and be automatically

deleted if they are not used regularly. The default age time is five minutes.

Configuring 357