Configuring Port Security on an Aruba switch is a key step in securing the network by limiting access to the switch ports to specific, authorized devices based on their MAC addresses. Port security helps prevent unauthorized access, MAC address flooding, and other attacks by enforcing strict control over which devices can connect to the network through specific switch ports.
Here’s how to configure Port Security on an Aruba switch using the CLI.
Basic Steps to Configure Port Security on Aruba Switch
Access the Switch CLI: You need to access the Aruba switch’s CLI via console, SSH, or other remote access methods.
Enter Configuration Mode: After logging in to the switch, enter global configuration mode by typing:
enable
configure terminal
Configure Port Security on a Specific Port: To configure port security, you’ll first specify the switch port you want to apply the security settings to. You can configure port security for individual ports or for multiple ports at once.
To configure port security for a specific port (e.g., GigabitEthernet1/0/1), type:
interface gigabitethernet 1/0/1
Enable Port Security: To enable port security, you can use the following command:
port-security enable
Set the Maximum Number of Allowed MAC Addresses: Port security allows you to limit the number of MAC addresses allowed on a particular port. The default is typically 1, but you can configure this to allow more devices if necessary.
For example, to allow a maximum of 3 MAC addresses on a port, use:
port-security maximum 3
Define Action When Security Violation Occurs: You can specify what happens when a violation is detected (e.g., if an unauthorized MAC address is seen on the port). The possible actions are:
Protect: Drops packets with an unknown source MAC address (silent discard, no logging).
Restrict: Drops packets and logs the violation.
Shutdown: Disables the port upon detection of a violation (default action).
For example, to configure the port to go into shutdown mode on a violation:
port-security violation shutdown
Configure Sticky MAC Addresses (Optional): Sticky MAC addresses are a way of dynamically learning and saving the MAC addresses that are connected to a specific port. These addresses are learned and added to the port security configuration, but they are retained even if the switch is rebooted.
To enable sticky MAC addresses:
port-security mac-address sticky
View the Port Security Configuration: After configuring port security, you can verify the settings by running:
show port-security
Exit and Save Configuration: Once you’ve completed the configuration, exit from the interface mode and save the configuration:
exit
write memory
Example of Full Configuration
Below is an example of configuring port security for port GigabitEthernet1/0/1, allowing a maximum of 3 MAC addresses, using sticky MAC addresses, and configuring the port to shutdown on a violation.
enable
configure terminal
# Enter interface configuration mode
interface gigabitethernet 1/0/1
# Enable port security
port-security enable
# Set the maximum number of allowed MAC addresses
port-security maximum 3
# Enable sticky MAC addresses (dynamically learned and saved)
port-security mac-address sticky
# Define violation action (shutdown port on violation)
port-security violation shutdown
# Exit and save the configuration
exit
write memory
Additional Commands and Options
Clear Port Security Violations: If a port is disabled due to a security violation (if you configured the violation action as shutdown), you can manually clear the violation and re-enable the port with the following command:
Viewing Port Security Status: To see which MAC addresses are associated with a particular port or to verify the port security settings, you can use the following command:
show port-security interface gigabitethernet 1/0/1
Disable Port Security on a Port: If you want to remove port security from a port, simply use the no command: