2 port-based network access control, Sec. 13.2 – Westermo RedFox Series User Manual

Page 279

Advertising
background image

Westermo OS Management Guide

Version 4.17.0-0

In WeOS the operator has the flexibility to select which addresses in the
224.0.0.X range to forward on a LAN, by adding filters for the correspond-
ing multicast MAC address. The factory default configuration includes MAC
filters for some of the most common multicast addresses in the 224.0.0.X
range, which are then forwarded onto all ports even if IGMP snooping is
enabled.

When specifying the destination port list in a MAC filter, one can specify both
regular Ethernet (and DSL) ports, as well as the internal CPU port(s) of the switch.
The latter is used if the multicast packet should be processed by the switch itself.

13.2

Port-based network access control

WeOS supports port-based network access control (PNAC). This security feature
is used to stop unauthorised PCs or other equipment to access the network. Au-
thentication is required to gain access. WeOS provides two authentication meth-
ods: IEEE 802.1X and MAC based authentication.

Ports with access control enabled (i.e., controlled ports) will by default be ”blocked”
for incoming traffic. Only when a connected device has successfully authenti-
cated itself will it be allowed/authorised to send data through the port. Packets
from unauthorised devices are still dropped, i.e., only packets with a source MAC
address of devices authorised via 802.1X or MAC authentication are allowed.

Incoming broadcast and multicast packets from unauthorised devices will also be
blocked. Outgoing broadcast and multicast packets will, however, not be blocked
and are sent out as usual on controlled ports. IGMP joining of multicast groups will
not work for unauthorised clients, as incoming IGMP join messages are dropped
until the client is granted access.

In WeOS, port-based network access control is managed per VLAN. Enabling ac-
cess control on a VLAN implies that all untagged ports on that VLAN are subject
to access control by default. Often some or a few ports need to be excluded from
access control, e.g., ports connected to a server, uplink ports (towards Internet),
and VLAN trunk ports. These ports can be excluded by a special configuration
option in the CLI ”except-auth” (see

section 13.4.17

) or in the web GUI (see

section 13.3.5

).

➞ 2015 Westermo Teleindustri AB

279

Advertising
This manual is related to the following products:

Wolverine Series, Falcon Series, Viper Series

Popular Brands
Popular manuals