Contents

Port Security                                                                                                                                     2

1. Introduction                                                                                                                           2

2. Protected Port                                                                                                                        2

2.1 Configuring a Protected Port in CLI                                                                               2

2.2  Configuring a Protected Port in web GUI                                                                     3

3. MAC-Binding                                                                                                                          3

3.1 Configuring MAC Binding in web GUI                                                                           4

3.2 Configuring MAC Binding in CLI                                                                                     5

4. MAC-Filtering                                                                                                                         6

4.1 Configuring MAC Filtering in web GUI                                                                          6

4.2 Configuring MAC Filtering in CLI                                                                                    6

Port Security

1. Introduction

Port Security helps secure any network by preventing unknown devices from forwarding packets. You can limit the number of MAC addresses on a given port. The ‘switchport security’ feature offers the ability to configure a switch port so that traffic can be limited to only a specific configured MAC address or list of MAC addresses that will be authorized to access the network through that port. This enables the individual ports to detect, prevent and log attempts by unauthorized devices.

2. Protected Port

Ports that are protected cannot forward traffic to other protected ports, regardless of the VLAN membership. However, protected ports can forward traffic to unprotected ports. Unprotected ports can forward traffic to both protected and unprotected ports. Port protection is used to avoid communication with two ports (Protected) within the same VLAN.

2.1 Configuring a Protected Port in CLI

In the CLI, type in the following commands to configure a port as protected port:

Switch>enable

Switch#configure terminal

Entering interface ge1/28 configuration mode

Switch(config)#interface ge1/28

Configuring interface ge1/28 as protected port

Switch(config-ge1/28)#switchport port-security protect

Switch(config-ge1/28)#exit

Switch(config)#exit

Saving the configuration

Switch#write

Display protected port information

Switch#show port-security protect

To remove the protection from a particular port, enter into interface configuration mode and enter the following command:

Switch(config-ge1/28)#no switchport port-security protect

2.2  Configuring a Protected Port in web GUI

Access the web GUI, navigate to Port →Protected Port, select the interface on which protected port is to be configured and click ‘Protected Port’. To unprotect the port click  the port and click on the ‘Unprotected Port’ button.

3. MAC-Binding

MAC Binding is defining certain MAC addresses to a port allowing traffic only from those MAC-addresses. This feature can protect your network from ARP poisoning attacks, in which hackers try to change the MAC address of their computers to match a real device on your network. You can specify the number of MAC addresses that can be learnt or bound with an interface.

In CLI, the learn-limit is set as follows:

Switch>enable

Switch#configure terminal

Switch(config)#interface ge1/22

Switch(config-ge1/22)#switchport port-security learn-limit 4

Switch(config-ge1/22)#exit

Switch(config)#exit

Switch#show port-security learn-limit

We are configuring the learn limit on interface ge1/22 as 4.

Auto binding feature is also available with which the port dynamically learns the MAC-address as per the limit set (if set).

3.1 Configuring MAC Binding in web GUI

Navigate to the SECURITY → MAC → MAC Bind, choose the port on which MAC-Bind is to be configured, specify the MAC address to be bound, enter the VLAN ID and click ‘Apply’.

The format of the mac address should be ‘hhhh.hhhh.hhhh’. As shown below, any other device with a MAC address other than those shown in the list will not be able to access the network through that port. Select the MAC address and VLAN on which the MAC Binding is to be configured.

3.2 Configuring MAC Binding in CLI

In CLI, enter the interface configuration mode and enter the following commands:

Switch(config)#interface ge1/26

Switch(config-ge1/26)#switchport port-security mac-bind <mac_address> vlan <vlanID>

Switch(config-ge1/26)#exit

Switch(config)#exit

Switch#write

●       In place of <mac_address> specify the mac address of the device for mac binding.

●       In place of <vlanID> enter the VLAN ID.

We have configured b083.fe67.bf47 as the MAC address to port ge1/26 as shown below.

Switch#show port-security mac-bind

4. MAC-Filtering

MAC Filtering is for specifying the MAC addresses from/to which traffic is blocked for a particular interface/port. It basically acts as a black list of MAC addresses to be blocked from accessing the network. It is a security method based on access control. It helps in preventing unwanted access to the network.

4.1 Configuring MAC Filtering in web GUI

To configure MAC filtering in web GUI, navigate to  SECURITY → MAC → MAC Filter, choose the port on which MAC-Filtering is to be configured, specify the MAC address to be blocked (filtered), enter the VLAN ID and click ‘Apply’. The format for MAC address entry is ‘hhhh.hhhh.hhhh’. An example is shown below. Select the MAC address and VLAN on which the MAC Filtering is to be configured.

4.2 Configuring MAC Filtering in CLI

To configure MAC Filtering in CLI follow these commands:

Switch>enable

Switch#configure terminal

Switch(config)#interface ge1/28

Switch(config-ge1/28)#switchport port-security mac-filter <mac_address> vlan <vlanid>

Switch(config-ge1/28 )#exit

Switch(config)#exit

Switch#write

Switch#show port-security mac-filter

# This will display the list of MAC address filtered