Port Security - MAC Lockdown
The 802.1X standard provides logical security to the network based on a user. There are many
times, however, when physical access limitations are desired. The Port Security - MAC
Lockdown feature limits physical access to a particular port on the switch by one of two
methods: a particular list of MAC addresses (up to 8 addresses per port can be configured), or
to the first MAC address the switch sees on that port. While this solution doesn't help with a
switch port that legitimately sees a large number of MAC addresses, such as in a conference
room, it does provide security to a port used by a shared PC or dedicated PC by locking out
other PCs that try to access the switch port, even when the port is network enabled through
The Port Security feature can be set to send an SNMP trap to a management station when such
a violation occurs. It can also be set to completely disable the switch port (requiring the
network manager to re-enable the port before use), a feature for use in high security
environments, or an environment subject to potential hacking, such as a college dorm room.
Configuring port security on ProCurve 5300xl Series switch port automatically enables
eavesdrop protection for that port. This prevents use of the port to flood unicast packets
addressed to MAC addresses unknown to the switch. This blocks unauthorized users from
eavesdropping on traffic intended for addresses that have aged-out of the switch's address
table. (Eavesdrop prevention does not affect multicast and broadcast traffic, meaning that the
switch floods these two traffic types out a given port regardless of whether port security is
enabled on that port.)
Secure Shell – SSH v1 and v2
Secure Shell is an application very similar to telnet except that it encrypts the dialog so that in-
band CLI sessions can be kept private over the network. Encryption is done through the use of
public/private key pairs, one pair for host authentication and one pair for each SSH session that
The host key pair is used to authenticate the SSH client and switch to each other. The host key
pair is stored in flash, so is not lost on reboot, power-cycle or by clearing the config file.
Although not necessary or recommended, a new host key pair can be generated through the
The session key pair is used to authenticate the SSH session. A new key pair is used for each
SSH session. Keys are kept in RAM and are lost on power-cycle or reboot. When the ProCurve
5300xl Switch Series is rebooted, new session key pairs are generated. With a key pair taking
about 12 seconds to generate, 10 keys are generated on boot up and placed in a cache to
prevent delays when starting up SSH sessions rapidly in succession. Filling this key cache takes
about 2 minutes and is CPU intensive. To keep this process from affecting other switch
functions, it is designated low priority for the CPU. Because the CPU is doing many things at
boot up, key pair generation doesn't start until about one minute after boot up. This means that
an SSH session, waiting for the first session key pair generation, cannot be established until a
little over a minute after boot up.
The ProCurve 5300xl Switch Series support both SSHv1 and SSHv2 clients. SSHv2 provides an
additional level of security in that the public key negotiation is accomplished via a Diffie-Hellman
exchange that is not done under SSHv1.
SSL – Secure Sockets Layer
SSL can be used to encrypt the exchange between a web browser and the 5300 switch when
using the ProCurve 5300xl Switch Series web GUI.
A facility is provided on the GUI interface to generate a self-signed RSA certificate for use
during a SSL browser session.
The ProCurve 5300xl Switch Series can be configured to designate one of the VLANs to be the
management VLAN. When this is configured the internal IP address of the switch becomes a
member solely of the management VLAN. Since access to the switch IP address is necessary for
telnet/SSH, GUI, and SNMP access, other members of this VLAN are the only ones that can
manage the switch.