D

25 Messages

 • 

372 Points

Tue, Jun 22, 2021 4:08 PM

Port MAC Security Question

I am reading about "port MAC security" in the Fastiron Security Guide. We may choose to use this instead of full blown 802.1x auth on all ICX end-user access ports.

It is not clear to me though - MACSec appears to be a separate licensed feature, And is only supported on 7450 and better devices. Does this apply to Port MAC Security as well? Or is this available on all ICX switches? (we have mostly 7150)

Also, it looks like this is something that is either enabled or disabled on the switch... not something that is enabled or disabled per port? If this is the case, and I have a switch with APs connected to it... how would that work? If I say that there is a maximum number of 4 secure MAC addresses (local resources). If I have an AP connected to a port on that switch... the AP will have a few MAC addresses on its own, and then there are the MAC addresses of any clients that connect to wireless networks, etc.

How would this be handled?

Thanks, 

Accepted Solution

Employee

 • 

187 Messages

 • 

3.2K Points

5 m ago

Hey David, 

They are two separate, independent features. Port Mac Security basically let's you set up a limit on the number of mac addresses allowed on a port along with actions if you exceed those specified limits. You will not need a license for this feature.

Macsec is basically point-to-point encryption on links and does indeed require a license. 

I don't think you would use either of these on an AP port as you could be learning a very high amount of mac-addresses on the respective switchport due to wireless clients. 

Let me know if that makes sense and if you have any additional questions/concerns. 

Accepted Solution

Employee

 • 

25 Messages

 • 

380 Points

5 m ago

Hello David, 

MACsec is a separate feature that encrypts point-to-point communication on a layer 2 basis.

I think you're looking for mac-authentication that can be enabled per port on any of the ICX models and authenticates the end user's mac-address against an authenticating server as RADIUS.

Here you can find the guide:
https://docs.commscope.com/bundle/fastiron-08095-securityguide/page/GUID-98B6424C-B7ED-4CA2-80B2-C35C713BB79E.html

On the other hand, there is also port MAC security (PMS) feature, that allows you to configure the device to learn a limited number of secure MAC addresses on an interface. The interface forwards only those packets with source MAC addresses that match these secure addresses.

Here the guide:

https://docs.commscope.com/bundle/fastiron-08092-securityguide/page/GUID-B9D5C5CA-0C1A-4D03-9D7B-CE21926AB6FB.html

Please let me know if this information has been useful.

(edited)

25 Messages

 • 

372 Points

5 m ago

Thanks for the feedback; It is not clear to me though - is Port MAC Security something that can be enabled only on specific interfaces? The documentation indicates that it is enabled globally on the switch:

Enter global configuration mode.
device# configure terminal
2. Enter port security configuration mode.
device(config)# port security
3. Enable port MAC security globally on the device.
device(config-port-security)# enable

Is this the case? What if I have a switch and I only want to enable this on specific ports? (like, enable on all ports except where APs are connected)?

Employee

 • 

187 Messages

 • 

3.2K Points

Hey David, 

It is a bit confusing. If you enable it at the global level, it will turn the feature on for every port and use the global settings. However, you can also implement at the port level which is likely more useful. Here is an example:

SSH@ICX(config)#int e 1/3/1
SSH@ICX(config-if-e10000-1/3/1)#port security
SSH@ICX(config-port-security-if-e10000-1/3/1)#maximum 3
SSH@ICX(config-port-security-if-e10000-1/3/1)#violation shutdown
SSH@ICX(config-port-security-if-e10000-1/3/1)#enable

Here is how it would look in the running config:

interface ethernet 1/3/1
 port security
  enable
  maximum 3
  violation shutdown

Here is the 'show port security':

SSH@ICX#show port security
Port    Security Violation Shutdown-Time Age-Time  Max-MAC
------- -------- --------- ------------- --------- -------
1/1/1    disabled   protect               permanent       1
1/1/2    disabled   protect               permanent       1
1/1/3    disabled   protect               permanent       1
1/1/4    disabled   protect               permanent       1
1/1/5    disabled   protect               permanent       1
1/1/6    disabled   protect               permanent       1
1/1/7    disabled   protect               permanent       1
1/1/8    disabled   protect               permanent       1
1/1/9    disabled   protect               permanent       1
1/1/10   disabled   protect               permanent       1
1/1/11   disabled   protect               permanent       1
1/1/12   disabled   protect               permanent       1
1/2/1    disabled   protect               permanent       1
1/2/2    disabled   protect               permanent       1
1/3/1     enabled  shutdown     permanent permanent       3
1/3/2    disabled   protect               permanent       1

Ben Beck, RCNA

Principal Technical Support Engineer

Support - 1-855-782-5871
https://support.ruckuswireless.com/contact-us

25 Messages

 • 

372 Points

Ok cool - so it can be configured per port. 

If it is configured globally initially, can more specific settings then be configured explicitly on a port?

I ask since I think a basic setting with "protect" and 3 or 4 secure mac addresses would work for the majority of our access ports... but there will be some exceptions (where small desktop switches exist, printers, etc.)

If it can't be done with a global setting along with custom settings for specific ports, is there a way to do range programming? like, to enable it for all ethernet interfaces 1/1/1 to 1/1/48, 2/1/1 to 2/1/48 , etc.?

Thanks,

D

Employee

 • 

187 Messages

 • 

3.2K Points

Hey David, 

Yes, port-level settings supersede global settings so you can surely do that. 

Also, you can do port ranges to apply settings to multiple ports. Example:

SSH@ICX(config)#interface ethernet 1/1/1 to 1/1/12
SSH@ICX(config-mif-1/1/1-1/1/12)#port security
SSH@ICX(config-port-security-mif-1/1/1-1/1/12)#maximum 99
SSH@ICX(config-port-security-mif-1/1/1-1/1/12)#violation restrict
SSH@ICX(config-port-security-mif-1/1/1-1/1/12)#enable

Ben Beck, RCNA

Principal Technical Support Engineer

Support - 1-855-782-5871
https://support.ruckuswireless.com/contact-us

25 Messages

 • 

372 Points

Excellent - thanks so much!

Important Announcement