topic Re: Port MAC Security Question in ICX Switches

Port MAC Security Question

david_levine — Tue, 22 Jun 2021 16:08:17 GMT

I am reading about "port MAC security" in the Fastiron Security Guide. We may choose to use this instead of full blown 802.1x auth on all ICX end-user access ports.

It is not clear to me though - MACSec appears to be a separate licensed feature, And is only supported on 7450 and better devices. Does this apply to Port MAC Security as well? Or is this available on all ICX switches? (we have mostly 7150)

Also, it looks like this is something that is either enabled or disabled on the switch... not something that is enabled or disabled per port? If this is the case, and I have a switch with APs connected to it... how would that work? If I say that there is a maximum number of 4 secure MAC addresses (local resources). If I have an AP connected to a port on that switch... the AP will have a few MAC addresses on its own, and then there are the MAC addresses of any clients that connect to wireless networks, etc.

How would this be handled?

Thanks,

Re: Port MAC Security Question

BenBeck — Tue, 22 Jun 2021 16:16:03 GMT

Hey David,

They are two separate, independent features. Port Mac Security basically let's you set up a limit on the number of mac addresses allowed on a port along with actions if you exceed those specified limits. You will not need a license for this feature.

Macsec is basically point-to-point encryption on links and does indeed require a license.

I don't think you would use either of these on an AP port as you could be learning a very high amount of mac-addresses on the respective switchport due to wireless clients.

Let me know if that makes sense and if you have any additional questions/concerns.

Re: Port MAC Security Question

Orlando_Elias — Tue, 22 Jun 2021 16:16:43 GMT

Hello David,

MACsec is a separate feature that encrypts point-to-point communication on a layer 2 basis.

I think you're looking for mac-authentication that can be enabled per port on any of the ICX models and authenticates the end user's mac-address against an authenticating server as RADIUS.

Here you can find the guide:
https://docs.commscope.com/bundle/fastiron-08095-securityguide/page/GUID-98B6424C-B7ED-4CA2-80B2-C35C713BB79E.html

On the other hand, there is also port MAC security (PMS) feature, that allows you to configure the device to learn a limited number of secure MAC addresses on an interface. The interface forwards only those packets with source MAC addresses that match these secure addresses.

Here the guide:

https://docs.commscope.com/bundle/fastiron-08092-securityguide/page/GUID-B9D5C5CA-0C1A-4D03-9D7B-CE21926AB6FB.html

Please let me know if this information has been useful.

Re: Port MAC Security Question

david_levine — Tue, 22 Jun 2021 17:58:32 GMT

Thanks for the feedback; It is not clear to me though - is Port MAC Security something that can be enabled only on specific interfaces? The documentation indicates that it is enabled globally on the switch:

Enter global configuration mode.
device# configure terminal
2. Enter port security configuration mode.
device(config)# port security
3. Enable port MAC security globally on the device.
device(config-port-security)# enable

Is this the case? What if I have a switch and I only want to enable this on specific ports? (like, enable on all ports except where APs are connected)?

Re: Port MAC Security Question

BenBeck — Tue, 22 Jun 2021 18:24:32 GMT

Hey David,

It is a bit confusing. If you enable it at the global level, it will turn the feature on for every port and use the global settings. However, you can also implement at the port level which is likely more useful. Here is an example:

SSH@ICX(config)#int e 1/3/1
SSH@ICX(config-if-e10000-1/3/1)#port security
SSH@ICX(config-port-security-if-e10000-1/3/1)#maximum 3
SSH@ICX(config-port-security-if-e10000-1/3/1)#violation shutdown
SSH@ICX(config-port-security-if-e10000-1/3/1)#enable

Here is how it would look in the running config:

interface ethernet 1/3/1
port security
enable
maximum 3
violation shutdown

Here is the 'show port security':

SSH@ICX#show port security
Port Security Violation Shutdown-Time Age-Time Max-MAC
------- -------- --------- ------------- --------- -------
1/1/1 disabled protect permanent 1
1/1/2 disabled protect permanent 1
1/1/3 disabled protect permanent 1
1/1/4 disabled protect permanent 1
1/1/5 disabled protect permanent 1
1/1/6 disabled protect permanent 1
1/1/7 disabled protect permanent 1
1/1/8 disabled protect permanent 1
1/1/9 disabled protect permanent 1
1/1/10 disabled protect permanent 1
1/1/11 disabled protect permanent 1
1/1/12 disabled protect permanent 1
1/2/1 disabled protect permanent 1
1/2/2 disabled protect permanent 1
1/3/1 enabled shutdown permanent permanent 3
1/3/2 disabled protect permanent 1

Re: Port MAC Security Question

david_levine — Wed, 23 Jun 2021 15:54:18 GMT

Ok cool - so it can be configured per port.

If it is configured globally initially, can more specific settings then be configured explicitly on a port?

I ask since I think a basic setting with "protect" and 3 or 4 secure mac addresses would work for the majority of our access ports... but there will be some exceptions (where small desktop switches exist, printers, etc.)

If it can't be done with a global setting along with custom settings for specific ports, is there a way to do range programming? like, to enable it for all ethernet interfaces 1/1/1 to 1/1/48, 2/1/1 to 2/1/48 , etc.?

Thanks,

Re: Port MAC Security Question

BenBeck — Wed, 23 Jun 2021 15:59:52 GMT

Hey David,

Yes, port-level settings supersede global settings so you can surely do that.

Also, you can do port ranges to apply settings to multiple ports. Example:

SSH@ICX(config)#interface ethernet 1/1/1 to 1/1/12
SSH@ICX(config-mif-1/1/1-1/1/12)#port security
SSH@ICX(config-port-security-mif-1/1/1-1/1/12)#maximum 99
SSH@ICX(config-port-security-mif-1/1/1-1/1/12)#violation restrict
SSH@ICX(config-port-security-mif-1/1/1-1/1/12)#enable

Re: Port MAC Security Question

david_levine — Wed, 23 Jun 2021 16:07:17 GMT

Excellent - thanks so much!