Manualshelf

R2511-HP MSR Router Series Security Configuration Guide(V5)

ManualsBrandsHP ManualsNetwork HardwareHP MSR1003-8 AC Router
131132133134135136137138139140
126
Configuring port security
Overview
Port security combines and extends 802.1X and MAC authentication to provide MAC-based network
access control. It applies to networks that require different authentication methods for different users on
a port, such as a WLAN.
Port security prevents unauthorized access to a network by checking the source MAC address of inbound
traffic and prevents access to unauthorized devices by checking the destination MAC address of
outbound traffic.
Port security can control MAC address learning and authentication on a port to make sure the port learns
only source trusted MAC addresses.
A frame is illegal if its source MAC address cannot be learned in a port security mode, or if it is from a
client that has failed 802.1X or MAC authentication. The port security feature automatically takes a
pre-defined action on illegal frames. This automatic mechanism enhances network security and reduces
human intervention.
Port security is available on Ethernet and WLAN ports. Supported port types depend on the command.
For more information, see Security Command Reference.
For scenarios that require only 802.1X authentication or MAC authentication, HP recommends that you
use the 802.1X authentication or MAC authentication feature rather than port security.
For more information about 802.1X and MAC authentication, see "Configuring 802.1X" and
"Configuring MAC authentication."
Port security features
Port security supports the need to know (NTK) feature, intrusion protection, and port security traps.
NTK
NTK prevents traffic interception by checking the destination MAC address in outbound frames. The
feature ensures that frames are sent only to hosts that have passed authentication or whose MAC
addresses have been learned or configured on the access device.
Intrusion protection
The intrusion protection feature checks the source MAC address in inbound frames for illegal frames and
takes a pre-defined action on each detected illegal frame. The action can be disabling the port
temporarily, disabling the port permanently, or blocking frames from the illegal MAC address for 3
minutes (not user configurable).
Port security traps
To monitor user behavior, configure the port security module to send traps for port security events such as
login, logoff, and MAC authentication.