Configuration Examples‎ > ‎HP / HPE‎ > ‎Aruba HPE‎ > ‎

Port Security

How to configure port security on HPE ProCurve / ProVision / Aruba switches :)

I recently had a request through my 'contact me' form - on how to configure port security on HPE Aruba Switches - these are the 2920's, 3800's, 5400's 8200's etc.

Firstly, what is port security? It's a method of MAC lockdown (or Layer 2 control) which allows users to limit / restrict / or fix the MAC address on an individual switch port. 

Its important to understand what the various modes are:

Learn Mode  Action
 Continuous (default mode) Any MAC Address is learned as a device connects
 Static MAC addresses can be pre-defined, other addresses can be learned
 Configured MAC addresses can be pre-defined, no other MAC addresses can be learned
 limited-continuous MAC addresses can be learned
 Port-Access Used in conjunction with 802.1x to temporarily learn a MAC address of an 802.1x authenticated session

I normally use the following scenario's  -

1. Lock down a port to a maximum of 2 MAC address, but allow the switch to learn those MAC addresses and disable the port if there is a violation

port-security 1-24 address-limit 2 learn-mode limited-continuous action send-disable

1-24 is the ports I want to configure this policy on
2 is the address-limit maximum (2!)
limited-continuous is the learn mode i am using (see table above)
send-disable is the action (turn off the port)

Note, the switch uses the default MAC Age Time before a new MAC address can be learned, this is 300 seconds. You can find this by typing - show system-information

You can modify the MAC age time as follows:

mac-age-time 60-999960


2. Statically fix a particular MAC address to a port, only this MAC address can use this port, disable the port if there is a violation

port-security 25 learn-mode configured mac-address 0000.ffff.0000 action send-disable


3. Learn a MAC address on the port, fix it and never allow another MAC address, disable the port if there is a violation

port-security 25 learn-mode static action send-disable


4. I tend to be a bit cautious, and change my action to 'send-alarm' at the start of a port-security configuration. This will send an alert to your NMS - preferably HPE IMC!


port-security 1-24 address-limit 2 learn-mode limited-continuous action send-alarm



How to clear the intrusion flag of a port disabled using port security

port-security 1 clear-intrusion-flag