cancel
Showing results for 
Search instead for 
Did you mean: 

Port MAC Security Question

david_levine
New Contributor III

I am reading about "port MAC security" in the Fastiron Security Guide. We may choose to use this instead of full blown 802.1x auth on all ICX end-user access ports.

It is not clear to me though - MACSec appears to be a separate licensed feature, And is only supported on 7450 and better devices. Does this apply to Port MAC Security as well? Or is this available on all ICX switches? (we have mostly 7150)

Also, it looks like this is something that is either enabled or disabled on the switch... not something that is enabled or disabled per port? If this is the case, and I have a switch with APs connected to it... how would that work? If I say that there is a maximum number of 4 secure MAC addresses (local resources). If I have an AP connected to a port on that switch... the AP will have a few MAC addresses on its own, and then there are the MAC addresses of any clients that connect to wireless networks, etc.

How would this be handled?

Thanks, 

2 ACCEPTED SOLUTIONS

BenBeck
Moderator
Moderator

Hey David, 

They are two separate, independent features. Port Mac Security basically let's you set up a limit on the number of mac addresses allowed on a port along with actions if you exceed those specified limits. You will not need a license for this feature.

Macsec is basically point-to-point encryption on links and does indeed require a license. 

I don't think you would use either of these on an AP port as you could be learning a very high amount of mac-addresses on the respective switchport due to wireless clients. 

Let me know if that makes sense and if you have any additional questions/concerns. 

Ben Beck, RCNA, RCNI, Principal Technical Support Engineer
support.ruckuswireless.com/contact-us

View solution in original post

Orlando_Elias
RUCKUS Team Member

Hello David, 

MACsec is a separate feature that encrypts point-to-point communication on a layer 2 basis.

I think you're looking for mac-authentication that can be enabled per port on any of the ICX models and authenticates the end user's mac-address against an authenticating server as RADIUS.

Here you can find the guide:
https://docs.commscope.com/bundle/fastiron-08095-securityguide/page/GUID-98B6424C-B7ED-4CA2-80B2-C35...

On the other hand, there is also port MAC security (PMS) feature, that allows you to configure the device to learn a limited number of secure MAC addresses on an interface. The interface forwards only those packets with source MAC addresses that match these secure addresses.

Here the guide:

https://docs.commscope.com/bundle/fastiron-08092-securityguide/page/GUID-B9D5C5CA-0C1A-4D03-9D7B-CE2...

Please let me know if this information has been useful.

With regards,
--
Orlando Elias
Technical Support

View solution in original post

7 REPLIES 7

BenBeck
Moderator
Moderator

Hey David, 

They are two separate, independent features. Port Mac Security basically let's you set up a limit on the number of mac addresses allowed on a port along with actions if you exceed those specified limits. You will not need a license for this feature.

Macsec is basically point-to-point encryption on links and does indeed require a license. 

I don't think you would use either of these on an AP port as you could be learning a very high amount of mac-addresses on the respective switchport due to wireless clients. 

Let me know if that makes sense and if you have any additional questions/concerns. 

Ben Beck, RCNA, RCNI, Principal Technical Support Engineer
support.ruckuswireless.com/contact-us

Orlando_Elias
RUCKUS Team Member

Hello David, 

MACsec is a separate feature that encrypts point-to-point communication on a layer 2 basis.

I think you're looking for mac-authentication that can be enabled per port on any of the ICX models and authenticates the end user's mac-address against an authenticating server as RADIUS.

Here you can find the guide:
https://docs.commscope.com/bundle/fastiron-08095-securityguide/page/GUID-98B6424C-B7ED-4CA2-80B2-C35...

On the other hand, there is also port MAC security (PMS) feature, that allows you to configure the device to learn a limited number of secure MAC addresses on an interface. The interface forwards only those packets with source MAC addresses that match these secure addresses.

Here the guide:

https://docs.commscope.com/bundle/fastiron-08092-securityguide/page/GUID-B9D5C5CA-0C1A-4D03-9D7B-CE2...

Please let me know if this information has been useful.

With regards,
--
Orlando Elias
Technical Support

david_levine
New Contributor III

Thanks for the feedback; It is not clear to me though - is Port MAC Security something that can be enabled only on specific interfaces? The documentation indicates that it is enabled globally on the switch:

Enter global configuration mode.
device# configure terminal
2. Enter port security configuration mode.
device(config)# port security
3. Enable port MAC security globally on the device.
device(config-port-security)# enable

Is this the case? What if I have a switch and I only want to enable this on specific ports? (like, enable on all ports except where APs are connected)?

Hey David, 

It is a bit confusing. If you enable it at the global level, it will turn the feature on for every port and use the global settings. However, you can also implement at the port level which is likely more useful. Here is an example:

SSH@ICX(config)#int e 1/3/1
SSH@ICX(config-if-e10000-1/3/1)#port security
SSH@ICX(config-port-security-if-e10000-1/3/1)#maximum 3
SSH@ICX(config-port-security-if-e10000-1/3/1)#violation shutdown
SSH@ICX(config-port-security-if-e10000-1/3/1)#enable

Here is how it would look in the running config:

interface ethernet 1/3/1
 port security
  enable
  maximum 3
  violation shutdown

Here is the 'show port security':

SSH@ICX#show port security
Port    Security Violation Shutdown-Time Age-Time  Max-MAC
------- -------- --------- ------------- --------- -------
1/1/1    disabled   protect               permanent       1
1/1/2    disabled   protect               permanent       1
1/1/3    disabled   protect               permanent       1
1/1/4    disabled   protect               permanent       1
1/1/5    disabled   protect               permanent       1
1/1/6    disabled   protect               permanent       1
1/1/7    disabled   protect               permanent       1
1/1/8    disabled   protect               permanent       1
1/1/9    disabled   protect               permanent       1
1/1/10   disabled   protect               permanent       1
1/1/11   disabled   protect               permanent       1
1/1/12   disabled   protect               permanent       1
1/2/1    disabled   protect               permanent       1
1/2/2    disabled   protect               permanent       1
1/3/1     enabled  shutdown     permanent permanent       3
1/3/2    disabled   protect               permanent       1

Ben Beck, RCNA, RCNI, Principal Technical Support Engineer
support.ruckuswireless.com/contact-us