avd icon indicating copy to clipboard operation
avd copied to clipboard

Published 20 hours ago verified publisher icon aristanetworks

Feat(eos_cli_config_gen): Add support for switchport port-security

Open kmueller68 opened this issue 2 years ago • 6 comments

Enhancement summary

Add support for switchport port-security feature in global and switched ethernet interface configuration.

Which component of AVD is impacted

eos_cli_config_gen

Use case example

Securing certain (IOT) ports on campus lan switches.

switchport port-security mac-address aging
switchport port-security mac-address moveable
switchport port-security persistence disabled

interface Ethernet1
  description IOT
  no shutdown
  switchport access vlan 999
  switchport mode access
  switchport
  spanning-tree portfast
  spanning-tree bpduguard enable
  switchport port-security mac-address maximum 3
  switchport port-security violation protect log

Describe the solution you would like

for global configuration

switchport_port_security:
  mac_address:
    aging: < true | false >
    moveable: < true | false >
  persistence_disabled: < true | false >
  violation_protect_chip_based: < true | false >

for ethernet interface configuration:

ethernet_interfaces:
  <Ethernet_interface_1 >:
    port_security:
      violation: < protect | shutdown, default: shutdown >
      mac_address_maximum: <1 - 1000 | disabled, default: 1 >
      log: <true | false, only supported in protect mode >

Describe alternatives you have considered

for global confg:

eos_cli: |
  switchport port-security mac-address aging
  switchport port-security mac-address moveable
  switchport port-security persistence disabled

for ethernet interfaces:

ethernet_interfaces:
  <Ethernet_interface_1 >:
    eos_cli: |
      switchport port-security mac-address maximum 50
      switchport port-security violation protect log

Additional context

Arista documents on this feature:

https://eos.arista.com/eos-4-15-3f/portsec/ https://eos.arista.com/eos-4-18-1f/port-security-preserve-macs-on-link-flapreload/ https://eos.arista.com/eos-4-24-0f/port-security-protect-mode/ https://eos.arista.com/eos-4-24-2f/port-security-protect-mode-enhancements/ https://eos.arista.com/eos-4-26-1f/vlan-based-port-security/

Contributing Guide

  • [X] I agree to follow this project's Code of Conduct

kmueller68 avatar Feb 16 '23 17:02 kmueller68

@kmueller68 we have considered reworking most of the switchport* commands on interface level, so they are mapped closer to the CLI. This will be an ongoing effort, but to get it started, I think we should call the interface key switchport_port_security.

Also the violation, we will not have a default per say in eos_cli_config_gen, but just render whatever the user inputs.

Re mac_address_maximum I think we need to separate this into two vars to avoid mixing types (We try to avoid this now, when we have schemas to enforce and guide the user). Ex. mac_address_maximum: <1-1000> and mac_address_maximum_disabled: <bool>. Then we can ignore the numeric value if disabled is set.

Thank you for your contributions!

ClausHolbechArista avatar Feb 16 '23 21:02 ClausHolbechArista

One more thing. On interface level we will need an enabled: <bool> key to trigger configuring switchport port-security alone.

ClausHolbechArista avatar Feb 16 '23 21:02 ClausHolbechArista

@ClausHolbechArista I have considered your requests.

And I have added the option vlan to have a full implementation.

ethernet_interfaces:<Ethernet_interface_1 >:
    switchport_port_security:
      enabled: < true | false >
      mac_address_maximum_disabled: < true | false >
      mac_address_maximum: <1 - 1000 >
      violation: < protect | shutdown >
      # Only supported when violation is set to protect
      log: <true | false>
      vlan:
        - id: < default | list of vlans as string >
          vlan_mac_address_maximum: <1 - 1000 >

the vlan option can add multiple lines like: https://eos.arista.com/eos-4-26-1f/vlan-based-port-security/

interface ethernet1
  switchport port-security vlan 10 mac-address maximum 1
  switchport port-security vlan 200-203 mac-address maximum 5
  switchport port-security mac-address maximum disabled
  switchport port-security vlan default mac-address maximum 3

I have two suggestions for options violationand log:

    switchport_port_security:
      violation: < protect | shutdown >
      # Only supported when violation is set to protect
      log: <true | false>

or

    switchport_port_security:
      violation: < protect | "protect log" | shutdown >

kmueller68 avatar Feb 20 '23 14:02 kmueller68

I prefer

    switchport_port_security:
      violation: < protect | shutdown >
      # Only supported when violation is set to protect
      log: <true | false>

Re the vlan key, I would suggest to modify it a bit:

      default_vlan_mac_address_maximum: < 1 - 1000 >
      vlans:
        - vlans: < vlan range as string >
          mac_address_maximum: < 1 - 1000 >

ClausHolbechArista avatar Feb 20 '23 16:02 ClausHolbechArista

This issue is stale because it has been open 90 days with no activity. The issue will be reviewed by a maintainer and may be closed

github-actions[bot] avatar May 22 '23 00:05 github-actions[bot]

Please keep this open, since we need this feature, but I am currently running out of time to implement it.

kmueller68 avatar May 30 '23 08:05 kmueller68

@JulioPDX Thank you very much for your implementation.

kmueller68 avatar Mar 26 '24 07:03 kmueller68