View Only
last person joined: 18 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Port-Access Port-Security Violation recovery

This thread has been viewed 19 times
  • 1.  Port-Access Port-Security Violation recovery

    Posted Mar 15, 2022 04:28 PM

    I'm trying to find out the best way for a port to recover from a security violation for the ArubaOS-CX 6200F model.  Our current setup is if something is plugged into a port and it isn't authorized, the port shuts down.  We have the interfaces configured with 'port-access security violation action shutdown'.  Auto-recovery is not turned on.  The behavior that we are seeing is what when a violation is triggered, that port stays that way.  The only way to undo it is to disable port-security on that port and then re-enable it.  On the 2930F switches which do not use the ArubaOS-CX OS, the port would go into a disabled state.  In order to authorize the device we would either turn on static learning or remove the old mac-address or configure the mac on the port... then we would just type #int 12 enable.  The port would come online.  With the ArubaOS-CX, there doesn't seem to be an option to do this without doing a 'port-access port-security disable' and then 'enable'.  I've tried to a 'shutdown' then 'no shut' on the port, but that doesn't clear the violation.  I can't find anything that helps me manually recover from a port-security violation on the ArubaOS-CX.  Does anyone know if there's a way and what way that is?


    Jonathan Berg

  • 2.  RE: Port-Access Port-Security Violation recovery

    Posted Sep 07, 2022 11:02 AM

    In Aruba-AOSCX, by default the client-limit is 1, so if we learnt one client it works fine, but if we have more than one if you enable action shutdown, if there is additional client, the port will go continuously to disable state. you can stop the additional client traffic so that the port don't go to disabled state as the client-limit is only 1. 
    also if we don't configure the action as shutdown, the default action is to notify. though the port goes to disabled state, i twill notify the user.

    if suppose if we configure action as shutdown, then good to configure auto-recovery with recovery-timer, will help to automatically enable the port if there is any client-violation. This continues to happen whenever there is client-limit exceeds, the port will always go to disabled state.

    if you dont want the port to go to disabled state, we should not send more than allowed client-limit.