cancel
Showing results for 
Search instead for 
Did you mean: 

Port MAC Security Question

david_levine
New Contributor III

I am reading about "port MAC security" in the Fastiron Security Guide. We may choose to use this instead of full blown 802.1x auth on all ICX end-user access ports.

It is not clear to me though - MACSec appears to be a separate licensed feature, And is only supported on 7450 and better devices. Does this apply to Port MAC Security as well? Or is this available on all ICX switches? (we have mostly 7150)

Also, it looks like this is something that is either enabled or disabled on the switch... not something that is enabled or disabled per port? If this is the case, and I have a switch with APs connected to it... how would that work? If I say that there is a maximum number of 4 secure MAC addresses (local resources). If I have an AP connected to a port on that switch... the AP will have a few MAC addresses on its own, and then there are the MAC addresses of any clients that connect to wireless networks, etc.

How would this be handled?

Thanks, 

2 ACCEPTED SOLUTIONS

BenBeck
Moderator
Moderator

Hey David, 

They are two separate, independent features. Port Mac Security basically let's you set up a limit on the number of mac addresses allowed on a port along with actions if you exceed those specified limits. You will not need a license for this feature.

Macsec is basically point-to-point encryption on links and does indeed require a license. 

I don't think you would use either of these on an AP port as you could be learning a very high amount of mac-addresses on the respective switchport due to wireless clients. 

Let me know if that makes sense and if you have any additional questions/concerns. 

Ben Beck, RCNA, RCNI, Principal Technical Support Engineer
support.ruckuswireless.com/contact-us

View solution in original post

Orlando_Elias
RUCKUS Team Member

Hello David, 

MACsec is a separate feature that encrypts point-to-point communication on a layer 2 basis.

I think you're looking for mac-authentication that can be enabled per port on any of the ICX models and authenticates the end user's mac-address against an authenticating server as RADIUS.

Here you can find the guide:
https://docs.commscope.com/bundle/fastiron-08095-securityguide/page/GUID-98B6424C-B7ED-4CA2-80B2-C35...

On the other hand, there is also port MAC security (PMS) feature, that allows you to configure the device to learn a limited number of secure MAC addresses on an interface. The interface forwards only those packets with source MAC addresses that match these secure addresses.

Here the guide:

https://docs.commscope.com/bundle/fastiron-08092-securityguide/page/GUID-B9D5C5CA-0C1A-4D03-9D7B-CE2...

Please let me know if this information has been useful.

With regards,
--
Orlando Elias
Technical Support

View solution in original post

7 REPLIES 7

Ok cool - so it can be configured per port. 

If it is configured globally initially, can more specific settings then be configured explicitly on a port?

I ask since I think a basic setting with "protect" and 3 or 4 secure mac addresses would work for the majority of our access ports... but there will be some exceptions (where small desktop switches exist, printers, etc.)

If it can't be done with a global setting along with custom settings for specific ports, is there a way to do range programming? like, to enable it for all ethernet interfaces 1/1/1 to 1/1/48, 2/1/1 to 2/1/48 , etc.?

Thanks,

D

Hey David, 

Yes, port-level settings supersede global settings so you can surely do that. 

Also, you can do port ranges to apply settings to multiple ports. Example:

SSH@ICX(config)#interface ethernet 1/1/1 to 1/1/12
SSH@ICX(config-mif-1/1/1-1/1/12)#port security
SSH@ICX(config-port-security-mif-1/1/1-1/1/12)#maximum 99
SSH@ICX(config-port-security-mif-1/1/1-1/1/12)#violation restrict
SSH@ICX(config-port-security-mif-1/1/1-1/1/12)#enable

Ben Beck, RCNA, RCNI, Principal Technical Support Engineer
support.ruckuswireless.com/contact-us

Excellent - thanks so much!