I am reading about "port MAC security" in the Fastiron Security Guide. We may choose to use this instead of full blown 802.1x auth on all ICX end-user access ports.
It is not clear to me though - MACSec appears to be a separate licensed feature, And is only supported on 7450 and better devices. Does this apply to Port MAC Security as well? Or is this available on all ICX switches? (we have mostly 7150)
Also, it looks like this is something that is either enabled or disabled on the switch... not something that is enabled or disabled per port? If this is the case, and I have a switch with APs connected to it... how would that work? If I say that there is a maximum number of 4 secure MAC addresses (local resources). If I have an AP connected to a port on that switch... the AP will have a few MAC addresses on its own, and then there are the MAC addresses of any clients that connect to wireless networks, etc.
They are two separate, independent features. Port Mac Security basically let's you set up a limit on the number of mac addresses allowed on a port along with actions if you exceed those specified limits. You will not need a license for this feature.
Macsec is basically point-to-point encryption on links and does indeed require a license.
I don't think you would use either of these on an AP port as you could be learning a very high amount of mac-addresses on the respective switchport due to wireless clients.
Let me know if that makes sense and if you have any additional questions/concerns.
Ben Beck, RCNA, RCNI, Principal Technical Support Engineer support.ruckuswireless.com/contact-us
On the other hand, there is also port MAC security (PMS) feature, that allows you to configure the device to learn a limited number of secure MAC addresses on an interface. The interface forwards only those packets with source MAC addresses that match these secure addresses.
If it is configured globally initially, can more specific settings then be configured explicitly on a port?
I ask since I think a basic setting with "protect" and 3 or 4 secure mac addresses would work for the majority of our access ports... but there will be some exceptions (where small desktop switches exist, printers, etc.)
If it can't be done with a global setting along with custom settings for specific ports, is there a way to do range programming? like, to enable it for all ethernet interfaces 1/1/1 to 1/1/48, 2/1/1 to 2/1/48 , etc.?