Port security techniques

To prevent port-hijacking in student computer labs:

• we use the HP "port-security" features
• we do not use "MAC lockdown", which applies to a MAC address wherever it might appear on a switch
• port-security restricts the MAC addresses on a per-port basis
• MAC lockdown is to prevent a MAC from being used anywhere, port-security is to enable a specific MAC
• the particular style of port-security we use is "learn-mode static address-limit 1" which effectively causes the switch to learn whatever is plugged into a port at the time the command is issued, and allows no other MAC address
  • so we have to make sure that the right things are plugged in when port-security is enabled

CLI (and ONA command interface)

• to enable with the switch CLI:
  • port-security ## learn-mode static address-limit 1 action send-alarm
• to disable
  • no port-security ##

• ## is a port number or a range of port numbers start-end

Alternative techniques are possible, eg specifying via the CLI the exact MAC address to be allowed. However, as ONA doesn't support this, and it would required interoperation with our inventory system (the authoritative repository of MAC addresses), we'll stick with the "learn the one that's there" method. If somehow a switchport learns more than one address (possible, for example, if the MaxMACS is greater than one, individual MAC addresses can be cleared with the CLI:

• no port-security ## mac-address MAC-address-to-be-removed

ONA

• ONA supports port security with its "MaxMACs" setting of 1

Device changeout with ONA

• remove the device from the port
• set MaxMACs to 0
• press "ClearMACs"
• plug in the new device
• set MaxMACs back to 1