Contents

Port Security                                                                                                                                     2

1. Introduction                                                                                                                           2

2. Protected Port                                                                                                                        2

2.1 Configuring a protected port in CLI                                                                               2

2.2  Configuring a protected port in web GUI                                                                     3

3. MAC-Binding                                                                                                                          3

3.1 Configuring MAC Binding in web GUI                                                                           4

3.2 Configuring MAC Binding in CLI                                                                                     4

4. MAC-Filtering                                                                                                                         5

Port Security

1. Introduction

Port Security helps secure any network by preventing unknown devices from forwarding packets. You can limit the number of MAC addresses on a given port. The ‘switchport security’ feature offers the ability to configure a port so that traffic can be limited to only a specific configured MAC address or list of MAC addresses that will be authorized to access the network through that port. This enables the individual ports to detect, prevent and log attempts by unauthorized devices.

2. Protected Port

Port protection is used to avoid communication with two ports (Protected) within the same VLAN. Ports that are protected cannot forward traffic to other protected ports, regardless of the VLAN membership. However, protected ports can forward traffic to unprotected ports.

Unprotected ports can forward traffic to both protected and unprotected ports.

2.1 Configuring a protected port in CLI

In the CLI, type in the following commands to configure a port as protected port:

Switch>enable

Switch#configure terminal

Entering interface ge1/1 configuration mode

Switch(config)#interface ge1/1

Configuring interface ge1/1 as protected port

Switch(config-ge1/1)#switchport port-security protect

Switch(config-ge1/1)#exit

Switch(config)#exit

Saving the configuration

Switch#write

Display protected port information

Switch#show port-security protect

To remove the protection from a particular port, enter into interface configuration mode and enter the following command:

Switch(config-ge1/1)#no switchport port-security protect

2.2  Configuring a protected port in web GUI

Access the web GUI, navigate to Port -> Protected port, select the interface on which protected port is to be configured and click ‘Protected Port’. To unprotect the port click  the port and click the ‘Unprotected Port’ button.

3. MAC-Binding

MAC Binding is defining certain MAC addresses to a port allowing traffic only from those MAC-addresses. This feature can protect your network from ARP poisoning attacks, in which hackers try to change the MAC address of their computers to match a real device on your network. You can specify the number of MAC addresses that can be learnt or bound with an interface.

In CLI, the learn-limit is set as follows:

Switch>enable

Switch#configure terminal

Switch(config)#interface ge1/4

Switch(config-ge1/4)#switchport port-security learn-limit 4

Switch(config-ge1/4)#exit

Switch(config)#exit

Switch#show port-security learn-limit

We are configuring the learn limit on interface ge1/4 as 4.

Auto binding feature is also available with which the port dynamically learns the MAC-address as per the limit set (if set).

3.1 Configuring MAC Binding in web GUI

Navigate to the Security -> MAC → MAC Bind, select the port on which you want to bind a MAC address, specify the MAC address of the device and the VLAN ID it is in and click ‘Apply’.

The format of the MAC address should be ‘hhhh.hhhh.hhhh’. As shown below, any other device with a MAC address other than those shown in the list will not be able to access the network through that port.

3.2 Configuring MAC Binding in CLI

In CLI, enter the interface configuration mode and enter the following commands:

Switch(config)#interface ge1/2

Switch(config-ge1/2)#switchport port-security mac-bind <mac_address> vlan <vlanID>

Switch(config-ge1/2)#exit

Switch(config)#exit

Switch#write

●       In place of <mac_address> specify the mac address of the device for mac binding.

●       In place of <vlanID> enter the VLAN ID.

We have configured b083.fe67.bf47 as the MAC address to port ge1/2 as shown below.

Switch#show port-security mac-bind

4. MAC-Filtering

MAC Filtering is for specifying the MAC addresses from/to which traffic is blocked for a particular interface/port. It basically acts as a black list of MAC addresses to be blocked from accessing the network. It is a security method based on access control. It helps in preventing unwanted access to the network.

To configure MAC filtering in web GUI, navigate to Security tab → MAC → MAC Filter, choose the port on which MAC-Filtering is to be configured, specify the MAC address to be blocked (filtered), enter the VLAN ID and click ‘Apply’. The format for MAC address entry is ‘hhhh.hhhh.hhhh’. An example is shown below where f8f7.d308.e4a1 is filtered on interface ge1/5.

To configure MAC Filtering in CLI follow these commands:

Switch>enable

Switch#configure terminal

Switch(config)#interface ge1/6

Switch(config-ge1/6)#switchport port-security mac-filter <mac_address> vlan <vlanid>

Switch(config-ge1/6)#exit

Switch(config)#exit

Switch#write

Switch#show port-security mac-filter

# This will display the list of MAC address filtered