Chapter 7: client security, Configuring port security, Client security – Edge Products ES3528-WDM User Manual

7-1

Chapter 7: Client Security

This switch supports many methods of segregating traffic for clients attached to
each of the data ports, and for ensuring that only authorized clients gain access to
the network. Private VLANs and port-based authentication using IEEE 802.1X are
commonly used for these purposes. In addition to these methods, several other
options of providing client security are supported by this switch. These include
port-based authentication, which can be configured for network client access
by specifying a fixed set of MAC addresses (either by freezing a set of dynamically
learned entries or through static configuration), or by statically configured MAC/IP
address pairs. The addresses assigned to DHCP clients can also be carefully
controlled using static or dynamic bindings with the IP Source Guard and DHCP
Snooping commands.

This switch provides client security using the following options:

• Private VLANs – Provide port-based security and isolation between ports within the

assigned VLAN. (See “Configuring Private VLANs” on page 12-17.)

• 802.1X – Use IEEE 802.1X port authentication to control access to specific ports.

(See “Configuring 802.1X Port Authentication” on page 6-13.)

• Port Security – Configure secure addresses for individual ports.
• IP Source Guard

5

– Filters untrusted DHCP messages on unsecure ports by

building and maintaining a DHCP snooping binding table. (See “IP Source Guard
Commands” on page 22-3.)

• DHCP Snooping

5

– Filters IP traffic on unsecure ports for which the source address

cannot be identified via DHCP snooping nor static source bindings. (See “DHCP
Snooping Commands” on page 22-7.)

Configuring Port Security

Port security is a feature that allows you to configure a switch port with one or more
device MAC addresses that are authorized to access the network through that port.

When port security is enabled on a port, the switch stops learning new MAC
addresses on the specified port when it has reached a configured maximum
number. Only incoming traffic with source addresses already stored in the dynamic
or static address table will be accepted as authorized to access the network through
that port. If a device with an unauthorized MAC address attempts to use the switch
port, the intrusion will be detected and the switch can automatically take action by
disabling the port and sending a trap message.

To use port security, specify a maximum number of addresses to allow on the port
and then let the switch dynamically learn the <source MAC address, VLAN> pair for
frames received on the port. Note that you can also manually add secure addresses
to the port using the Static Address Table (page 10-1). When the port has reached
the maximum number of MAC addresses the selected port will stop learning. The

5. These functions can only be configured through the Command Line Interface.