Wired Intelligent Edge

I am looking to set up port security on the Aruba 2540.  I set the port to learn mode of limited-continuous, and a address-limit of 1.  

I would like to set the ports to only allow one MAC address based on the first MAC address learned, I think this used to be called 'sticky MAC'.  I want to prevent people from unplugging a connected device in order to connect a different device.  I have tested this with the learn mode of limited-continuous, but it doesnt retain the MAC address of the first device when its disconnected.  If I connect an unmanged switch to the port and connect two devices, then two MAC addresses are seen on the Aruba port and it sees a violation.  

I can set up the learn mode as static and configure the MAC address associated with the switch port.  If any other MAC address is connected to the port it sees it as a violation and is not able to connect.  This method is not possible for us due to the amount of administrative overhead of configuring all the ports statically with MAC addresses.  

Is there a way within the 16.05 OS to learn the first MAC address that connects and then not allow additional MAC addresses on that port once the device is disconnected?

Hi,

that will be achieved by learn mode static. If you use address-limit 1 and do not define a mac-address, the switch will learn the first mac-address on that port and write it into running-config. If you want to make it persistent, you have to issue "write memory" on your own, after addresses have been learned.

But you really should think about different methods. Like 802.1x port authentication.

With above method a user could move his devioce arround and block ports for his mac address on several switches. Leaving that port unusable for different devices, until admin deletes the mac address from unused ports. Same with RMA cases (MAC of client changes) or with users moving to different offices. You'll have to edit your configurations often.

By using 802.1x you get a better level of security and less operational burden with above cases, cause you do not need to edit config anymore...

In my opinion MAC based security (portsecurity, MAC-auth, mac-filters, ...) should only be used as method of last ressort nowadays, if nothing else works...

Regards, Jö

Thanks so much for the feedback, I will give the static option a try without specifying the MAC address.  Unfortunately for now, this is our only opion as there is no RADIUS server available at this time for 802.1x.

Hello lvbeachlife,

I can only speak for ourselves but we're using the following configuration here at our university:

no port-security <ALL_PORT_LIST> eavesdrop-prevention
port-security <EDGE_PORT_LIST> learn-mode limited-continuous action send-alarm

Because there's no address-limit in the config it limits the number of simultaneous MAC-addresses to 1. We do not care with which device users connect to the network, but we use this is to prevent users for connecting their own unmanaged switch. When they do and connect 2 devices, I only see 1 MAC-adres on the switchport and the other device can't connect to the network. If they unplug the 1st device, then the 2nd device is able to connect, but never both at the same unless I set the address-limit to 2.

If you're seeing 2 MAC-addresses on the switchport while having the MAC-address limit set to 1, then it almost sounds like a bug to me.

Kind regards,

Niels Mejan

University of Twente