TWiki> CF Web>CscfSpecific>ExtremeMACsecurityfor72 (2013-02-22, DrewPilcher) EditAttach
Extremeware has several methods of MAC address security.

General

The switch generally...
  • Allows data FROM port TO anywhere WHEN data is
    • from a static or dynamic MAC entry on the port
    • port's [(mac address learning limit) - (learned mac addresses)] > 0
  • Sends data FROM anywhere TO port WHEN data is
    • broadcast
    • destined to a static or dynamic MAC entry on the port
    • non-broadcast and non-blackholed MAC address that the switch does not 'know'

Dynamic (per port)

The number of MAC addresses that can be learned at one time per port is limited. After a certain (set) time, the MAC address is expired.
>configure ports [<portlist> vlan <vlanname> | all] limit-learning <number>
where 0 <= number <= 500000

(default behaviour)
>configure ports [<portlist> vlan <vlanname> | all] unlimited-learning

If FDB aging time is set to 0, then learned addresses are considered non-permenant static and are never aged out.
>configure fdb agingtime 0
You may also want to enable syslog/snmp traps when limits have been exceeded
>enable snmp traps mac-security

Dynamic entries are expired once the port changes state. This is useful in limiting NUMBER OF MACHINES per port only.

If using ESRP, check Pg 255 of Docs for warnings.

Static (per port)

On activation, it converts any dynamic FDB entries on that port to 'locked static entries' and disables learning. Data is persistent across reboots.

If another MAC is detected on another port with the same MAC as a static entry, it is blackholed.
>configure ports [<portlist> vlan <vlanname> | all] lock-learning

>configure ports [<portlist> vlan <vlanname> | all] unlock-learning

Need to find out: what happens if a port is in lock-learning but doesn't know any MAC addresses?

(We probably want to use this)

Permanent (per port)

Learning is disabled completely. MAC addresses must be manually added/removed from ports.
>disable learning ports <portlist></br />

(We might want to use this)

Mac based VLANs

Each MAC address is associated with a VLAN regardless if which port it is on. MAC addresses that are not associated with a VLAN are put on the default VLAN. MAC address sets can be downloaded by TFTP from configuration servers.
>configure download server [primary|secondary] [<ipaddress>|<hostname>] <filename>

  • Only one MAC per port
  • Cannot be combined with static/tagged/etc. VLANs on that port


>enable mac-vlan mac-group [ any | <mac-group-number> ] ports <port range>
(allow only MACs in <mac-group-number> to use ports <port range>)


>configure mac-vlan add mac-address <mac-address> mac-group <mac-group-number> <vlanname>
(set MAC <mac-address> to vlan <vlanname> allowing it to use ports permitted in <mac-group-number>)

(We might want to use this too...)

ASIDE: interesting ~>network login

  • Requires users to authenticate by web or 802.1x before they are placed on the proper VLAN (Pg256)
  • Requires RADIUS supporting EAP, User/Pass authentication, and VSA

-- SevernTsui - 24 Aug 2004

Edit | Attach | Watch | Print version | History: r3 < r2 < r1 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r3 - 2013-02-22 - DrewPilcher
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback