1 / 6

Managing Port Security and Intrusion Protection for Ethernet Ports

This guide details the configuration of port security and intrusion protection for Ethernet ports. It explains how to set the maximum number of MAC addresses that can be learned per port, beneficial for managing user access in environments like ETTH and dormitories. It includes commands for enabling security, configuring maximum learning addresses, and establishing a list of allowed MACs. It also discusses the new lock address mode "Permanent," which retains learned MAC addresses in the static MAC table even after a power cycle, simplifying network management and enhancing security.

donagh
Télécharger la présentation

Managing Port Security and Intrusion Protection for Ethernet Ports

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Configuration Examples Port Security and Intrusion Protection

  2. Port Security • For each Ethernet port, at max. how many MAC address can be learned can be controlled. It’s useful at ETTH or Dormitory to control at max. how many user can access the Internet at the same time. ETTH Internet Max. User=2 Example: Port 1: Max. Learning Addr = 2 Port 2: Max. Learning Addr = 2 Port 3: Max. Learning Addr = 2 Port 4: Max. Learning Addr = 8 And so on. Max. user = 2 Max. user = 2 Max. user = 8

  3. Port Security Commands: config port_security ports 1-3 admin_state enabled max_learning_addr 2 config port_security ports 4 admin_state enabled max_learning_addr 8 …

  4. Intrusion protection Goal: MAC not in allowed list by port cannot access the network backbone • Enable port security by port, and set max. learning address = 0 for those ports need the intrusion protection • Enter the allowed Mac list into Static Mac forwarding table. Mac8 Mac9 Mac10 Mac1 Mac2 Mac3 Mac4 Mac5 Mac6 Mac7 Servers

  5. Commands config port_security ports 1-24 admin_state enabled max_learning_addr 0 create fdb default 00-50-ba-00-00-01 port 2 create fdb default 00-50-ba-00-00-02 port 2 create fdb default 00-50-ba-00-00-03 port 2 create fdb default 00-50-ba-00-00-04 port 2 create fdb default 00-50-ba-00-00-05 port 8 create fdb default 00-50-ba-00-00-08 port 20 create fdb default 00-50-ba-00-00-09 port 22 create fdb default 00-50-ba-00-00-10 port 24 (…all other allowed mac)

  6. New Lock Address Mode “Permanent” • Example: config port_security ports 1:1-1:24 lock_address_mode Permanent • Enable Port security per Device • After by port enable port security and select “Permanent” and the number of MAC to be learned from that port will be “permanently written to Static MAC table.” Even after power cycle, that MAC still there. It save the time to key in the MAC entries into Static MAC table. • To release the permanent learned MAC, disable Port security of that port.

More Related