topic Re: Mac Security in ICX Switches

Mac Security

Dejeh1 — Wed, 06 Mar 2024 17:18:35 GMT

How do I configure switch port mac security on a switch connected to a Ruckus R550 Access Point without the switch learning the mac addresses of devices connected to the access point?

Re: Mac Security

Zairah — Thu, 07 Mar 2024 03:24:09 GMT

@Dejeh1 Please find the link below for configuring port mac security in ICX switches:

https://docs.commscope.com/bundle/fastiron-08095-securityguide/page/GUID-379CDDC9-2F15-4F4B-8D86-63C74D560556.html

Regards,

Zairah Javeed
Sr Technical Support Engineer | L2 TAC Wired
support.ruckuswireless.com/contact-us

COMMSCOPE
now meets next

Note: Please feel free to mark the post as ACCEPTED SOLUTIONS

Re: Mac Security

Mayank — Thu, 07 Mar 2024 05:44:41 GMT

Hi Dejeh1,

Thank you for posting you query !!!

I understand that you would like to configure switch port mac security on a switch connected to a Ruckus R550 Access Point without the switch learning the mac addresses of devices connected to the access point.

Please find the below steps for you refrence :

********************************
MAC port security configuration
********************************

To configure the MAC port security feature, perform the following tasks:

• Enable the MAC port security feature
• Set the maximum number of secure MAC addresses for an interface
• Set the port security age timer
• Specify secure MAC addresses
• Configure the device to automatically save secure MAC addresses to the startup-config file
• Specify the action taken when a security violation occurs

**************************************
Enabling the MAC port security feature
**************************************

By default, the MAC port security feature is disabled on all interfaces. You can enable or disable the feature on all interfaces at once, or on individual interfaces.

To enable the feature on all interfaces at once, enter the following commands:
device(config)# port security
device(config-port-security)# enable

To disable the feature on all interfaces at once, enter the following commands:
device(config)# port security
device(config-port-security)# no enable

To enable the feature on a specific interface, enter the following commands:
device(config)# interface ethernet 1/7/11
device(config-if-e1000-1/7/11)# port security
device(config-port-security-e1000-1/7/11)# enable

Syntax: port security
Syntax: no enable

********************************************************************
Setting the maximum number of secure MAC addresses for an interface
********************************************************************

When MAC port security is enabled, an interface can store one secure MAC address. You can increase the number of MAC addresses that can be stored to a maximum of 64, plus the total number of global resources available.

For example, to configure interface 1/7/11 to have a maximum of 10 secure MAC addresses, enter the following commands.
device(config)# interface ethernet 1/7/11
device(config-if-e1000-1/7/11)# port security
device(config-port-security-e1000-1/7/11)# maximum 10

Syntax: maximum number-of-addresses

The number-of-addresses parameter can be set to a number from 0 through 64 plus (the total number of global resources available). The total number of global resources is 2048 or 4096, depending on flash memory size. Setting the parameter to 0 prevents any addresses from being learned. The default is 1.

************************************
Setting the port security age timer
************************************

By default, learned MAC addresses stay secure indefinitely. You can optionally configure the device to age out secure MAC addresses after a specified amount of time.

To set the port security age timer to 10 minutes on all interfaces, enter the following commands:
device(config)# port security
device(config-port-security)# age 10

To age out all secure MAC-addresses immediately after two minutes, enter the following commands:
device(config)# port security
device(config-port-security)# age 2 absolute

To set the port security age timer to 10 minutes on a specific interface, enter the following commands:
device(config)# interface ethernet 7/1/1
device(config-if-e1000-7/1/1)# port security
device(config-port-security-e1000-7/1/1)# age 10

Syntax: [no] age minutes [ minutes | absolute ]

The minutes variable specifies a range from 0 through 1440 minutes. The default is 0 (never age out secure MAC addresses).

The optional absolute keyword sets all secure MAC addresses to age out immediately once the specified time expires. If the absolute keyword is not specified, secure MAC addresses are aged out only when the configured hardware MAC age time expires.
----------
Note: When using the absolute option to age out MAC addresses on timer expiry, make sure that the age timer value is sufficient. Avoid using a very short timer expiry with the absolute option, as the value may be in conflict with other timer settings and may cause performance problems in the network. For example, a one-minute timer expiry will cause MAC addresses to be flushed every minute. As a result, operational (enable/disable) loops and packet flooding may occur following a security violation, which by default causes a port to be disabled for one minute.
----------
Note: Even though you can set age time to specific ports independent of the device-level setting, the actual age timer will take the greater of the two values. Thus, if you set the age timer to 3 minutes for the port, and 10 minutes for the device, the port MAC aging happens in 10 minutes (the device-level setting), which is greater than the port setting that you have configured.
----------

On the Brocade ICX 7750, Brocade ICX 7450, and Brocade ICX 7250, the port security age can only be set to the global hardware age. The absolute age and no age secure MACs are configured as static in hardware. To set or unset PMS MAC age time to global-mac-timer (hardware age timer), enter the following commands:
device(config-port-security-e1000-1/7/11)# age global-mac
device(config-port-security-e1000-1/7/11)# no age global-mac

*********************************
Specifying secure MAC addresses
*********************************

You can configure secure MAC addresses on tagged and untagged interfaces. On an untagged interface to specify a secure MAC address on an untagged interface, enter commands such as the following:
device(config)# interface ethernet 1/7/11
device(config-if-e1000-1/7/11)# port security
device(config-port-security-e1000-1/7/11)# secure-mac-address 0000.0018.747C

Syntax: [no] secure-mac-address mac-address

On a tagged interface when specifying a secure MAC address on a tagged interface, you must also specify the VLAN ID. To do so, enter commands such as the following:
device(config)# interface ethernet 1/7/11
device(config-if-e1000-1/7/11)# port security
device(config-port-security-e1000-1/7/11)# secure-mac-address 0000.0018.747C 2

Syntax: [no] secure-mac-address mac-address [ vlan-ID ]
----------
Note: If MAC port security is enabled on a port and you change the VLAN membership of the port, make sure that you also change the VLAN ID specified in the secure-mac-address configuration statement for the port.
----------
When a secure MAC address is applied to a tagged port, the VLAN ID is generated for both tagged and untagged ports. When you display the configuration, you will see an entry for the secure MAC addresses. For example, you might see an entry similar to the following line.

secure-mac-address 0000.0011.2222 10 10

This line means that MAC address 0000.0011.2222 10 on VLAN 10 is a secure MAC address.

Autosaving secure MAC addresses to the startup configuration

Learned MAC addresses can automatically be saved to the startup configuration at specified intervals. The autosave feature saves learned MAC addresses by copying the running configuration to the startup configuration.

For example, to automatically save learned secure MAC addresses every 20 minutes, enter the following commands:
device(config)# port security
device(config-port-security)# autosave 20

Syntax: [no] autosave minutes ]

The minutes variable can be from 15 through 1440 minutes. By default, secure MAC addresses are not autosaved to the startup-config file. If you change the autosave interval, the next save happens according to the old interval, then the new interval takes effect. To change the interval immediately, disable autosave by entering the no autosave command, then configure the new autosave interval using the autosave command.

*************************************************************
Specifying the action taken when a security violation occurs
*************************************************************

A security violation can occur when a user tries to connect to a port where a MAC address is already locked, or the maximum number of secure MAC addresses has been exceeded. When a security violation occurs, an SNMP trap and Syslog message are generated.

You can configure the device to take one of two actions when a security violation occurs; either drop packets from the violating address (and allow packets from secure addresses), or disable the port for a specified time.

Dropping packets from a violating address

To configure the device to drop packets from a violating address and allow packets from secure addresses, enter the following commands.
device(config)# interface ethernet 1/7/11
device(config-if-e1000-1/7/11)# port security
device(config-port-security-e1000-1/7/11)# violation restrict

Syntax: violation [ restrict ]
----------
Note: When the restrict option is used, the maximum number of MAC addresses that can be restricted is 128. If the number of violating MAC addresses exceeds this number, the port is shut down. An SNMP trap and the following Syslog message are generated: "Port Security violation restrict limit 128 exceeded on interface ethernet port_id ". This is followed by a port shutdown Syslog message and trap.
----------

**********************************************************************
Specifying the period of time to drop packets from a violating address
**********************************************************************

To specify the number of minutes that the device drops packets from a violating address, use
commands similar to the following:
device(config)# interface ethernet 1/7/11
device(config-if-e1000-1/7/11)# port security
device(config-port-security-e1000-1/7/11)# violation restrict 5

Syntax: violation [ restrict ] [age ]

The age variable can be from 0 through 1440 minutes. The default is 5 minutes. Specifying 0 drops packets from the violating address permanently.

Aging for restricted MAC addresses is done in software. There can be a worst case inaccuracy of one minute from the specified time.

The restricted MAC addresses are denied in hardware.

Disabling the port for a specified amount of time

You can configure the device to disable the port for a specified amount of time when a security violation occurs.

To shut down the port for 5 minutes when a security violation occurs, enter the following commands.
device(config)# interface ethernet 1/7/11
device(config-if-e1000-1/7/11)# port security
device(config-port-security-e1000-1/7/11)# violation shutdown 5

Syntax: violation [ shutdown ] [minutes ]

The minutes can be from 0 through 1440 minutes. Specifying 0 shuts down the port permanently when a security violation occurs.

You can also refer blow link for your refernce:

https://docs.commscope.com/bundle/fastiron-08095-securityguide/page/GUID-379CDDC9-2F15-4F4B-8D86-63C74D560556.html

I hope this information helps you

Please feel free to leave us a message if any concerns

Thanks

Re: Mac Security

Chandini — Thu, 07 Mar 2024 13:36:32 GMT

Hi Dejeh1,

Thank you for reaching us

From the details shared I could understand that you are trying to use port security on a port where AP is connected. Could you please help us with below details.

Could you please let us know if there is a specific requirement due to which you are trying to set port security on a AP port ?
How many AP devices are connected to this switch ?
Do you have a number with regard to number of wireless clients who would connect to the AP on a daily basis or during high usage period , like max users?

There would be a need to understand the number of wireless clients who connect to the AP , this is because when we consider a Access point we do not know how many clients would connect to the AP.

If you configure a max limit is 10 and if the max limit had already reached and latter a new client "11th client" tries to connect he will be denied network access.

So mostly we do not recommend port security on AP ports.

If you are choosing to enable port security you can consider using them on wired clients which are on wired network and directly connected to the switch and mac address is always same and does not change.

You can also run through the below two links which will give you a idea about resources and considerations for port mac security

Local and Global Resources Used for Port MAC Security

https://docs.commscope.com/bundle/fastiron-08095-securityguide/page/GUID-B2804916-51FE-43DE-AE64-B80BEB6B386C.html

Configuration Considerations for Port MAC Security

https://docs.commscope.com/bundle/fastiron-08095-securityguide/page/GUID-87F1BCB5-AE06-4548-BCE5-EEEFC170CC4D.html

I hope this helps

Thanks

Re: Mac Security

Dejeh1 — Thu, 07 Mar 2024 20:36:59 GMT

Thanks, everyone for the contributions, I really appreciate it.

Since the network is set up for users to use DPSK to connect to the Access points connected to the switch a maximum of 10 Mac won't be okay to prevent the port from shutting down. What I'm trying to achieve is a situation where only the First Access point connected to that switch port Mac address will be learned by the switch, if another Access point is connected to that same switch port it will block. But so far, the switch port learns both the Access point Mac address and every user connected to the Access point Mac address and we don't want this.

Re: Mac Security

Chandini — Fri, 08 Mar 2024 16:47:08 GMT

Hi Dejeh1,

Thank you for reaching us

"What I'm trying to achieve is a situation where only the First Access point connected to that switch port Mac address will be learned by the switch, if another Access point is connected to that same switch port it will block. But so far, the switch port learns both the Access point Mac address and every user connected to the Access point Mac address and we don't want this. "

Based on the above statement below is what I could understand

1st AP mac address should be learnt
2nd AP mac address should not be learnt and should be blocked
But switch learns both AP mac address and all user mac details connected to both AP's.

I suppose the above would be difficult to achieve below is the reason why

For the AP to operated and communicate with the network the mac address of the AP device or any device which is connected to the switch would be learnt , so if AP is connected on a port of the switch, it will learn the AP mac address. So I suppose when compared to your scenario since there are two AP then both AP mac address is learnt on the switch , we can understand here its working as designed.
When a user is connected on Wifi the user connection would move from one AP to another automatically based on the user movement, so mac address would also be learnt on the AP in the same way. It would be difficult to understand between which AP user is roaming and how he is connecting.

If you what only one AP to be used per switch , you can connect only one AP and remaining free ports you can choose to disable so that when a user connects another AP he would have no access to the network. And on ports where you have a wired connection to PC or other device which is not a AP device you can configure secure-mac-address max 1 per port.

I hope this helps

Thanks

Re: Mac Security

jdryan — Mon, 18 Mar 2024 16:04:45 GMT

Hi Dejeh1,

Adding on to the details shared, based on the requirements, where :
> if the operation is that on a port only the connected [ specific ] AP should work
> any other device or AP should be blocked on that given port.
> clients connected to the permitted AP should pass through with no second authentication or security check on the switch.

Then you could go for mac-auth for the APs on the said ports where APs are/would be connected.
where only the permitted APs will be allowed to connect across. any other device on that port wont be allowed, and with single-host mode only AP will be authenticated, rest of the clients comming off the AP will be able to go through with no issues.

Link for further reading on the single-host auth mode :
https://docs.commscope.com/bundle/fastiron-08095-securityguide/page/GUID-55419E4A-017B-42A1-9BC0-F30E5C13280D.html

and the same can be scalled, to be applied to the rest of the ports as well if necessary or selected ports only and have the rest configured as needed.

Here however the MAC learn will still happen for all device(s) communicating via that port, howver the communication will only work given the AP connected is allowed via the auth.

Let us know your thoughts on the matter.