KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch

391

392

393

394

395

396

397

398

399

400

30 minutes, then for 1 hour, 2 hours, 4 hours, 8 hours, and after that the persisting condition is

reported once a day. As with other event log entries, these alerts can be sent to a server.

• Known Limitations: The instrumentation monitor runs once every five minutes. The current

implementation does not track information such as the port, MAC, and IP address from which

an attack is received.

Port Security

Port security enables you to configure each switch port with a unique list of the MAC addresses

of devices that are authorized to access the network through that port. This enables individual ports

to detect, prevent, and log attempts by unauthorized devices to communicate through the switch.

NOTE: Port security does not prevent intruders from receiving broadcast and multicast traffic.

Also, Port Security and MAC Lockdown are mutually exclusive on a switch. If one is enabled, then

the other cannot be.

MAC Lockdown, also known as "Static Addressing", is used to prevent station movement and

MAC address "hijacking", by allowing a given MAC address to use only an assigned port on the

switch. MAC Lockdown also restricts the client device to a specific VLAN.

MAC Lockout enables blocking a specific MAC address so that the switch drops all traffic to or

from the specified address.

About Port security

Basic operation

Default port security operation

The default port security setting for each port is off, or "continuous". That is, any device can access

a port without causing a security reaction.

Trusted ports

In a similar way to DHCP snooping, dynamic ARP protection allows you to configure VLAN interfaces

in two categories: trusted and untrusted ports. ARP packets received on trusted ports are forwarded

without validation.

By default, all ports on a switch are untrusted. If a VLAN interface is untrusted:

• The switch intercepts all ARP requests and responses on the port.

• Each intercepted packet is checked to see if its IP-to-MAC binding is valid. If a binding is

invalid, the switch drops the packet.

You must configure trusted ports carefully. For example, in the topology in Figure 11-9, Switch B

may not see the leased IP address that Host 1 receives from the DHCP server. If the port on Switch

B that is connected to Switch A is untrusted and if Switch B has dynamic ARP protection enabled,

it will see ARP packets from Host 1 as invalid, resulting in a loss of connectivity.

On the other hand, if Switch A does not support dynamic ARP protection and you configure the

port on Switch B connected to Switch A as trusted, Switch B opens itself to possible ARP poisoning

from hosts attached to Switch A.

396 Port Security