Port Security

The device allows you to configure each port to help prevent unauthorized access. Depending on your selection, the device checks the MAC address or the IP address of the connected device.

If the device receives data packets at a port from an undesired sender, it performs the action defined for the port, e.g. send trap, disable port or auto-disable.

In the “Configuration” frame, you set whether the port security works with MAC or with IP addresses.

Tab. Configuration of port security globally for all ports

Name

Meaning

MAC-Based Port Security

Check source MAC address of the received data packet.

IP-Based Port Security

IP-Based Port Security internally relies on MAC-Based Port Security.
Principle of operation:
When you configure the function, the device translates the entered source IP address into the respective MAC address. In operation, it checks the source MAC address of the received data packet against the internally stored MAC address.


Set the individual parameters for each port in the port table.

With MAC-based port security, the device allows you either to define the permitted MAC addresses specifically or record the MAC addresses automatically.

With automatic recording, the device “learns” the MAC addresses of the sender by evaluating the received data packets. When the user-defined upper limit has been reached, the device performs the specified action.

Compared with the specific definition of MAC addresses, the automatic recording gives you the advantage of being able to replace the connected terminal devices at any time without having to modify the MAC address list in the device.

Tab. Configuration of port security for a single port

Name

Meaning

“Port”

Port identification using module and port numbers of the device, e.g. 2.1 for port one of module two.

Port Status

enabled: Port is switched on and transmitting.

disabled: Port is switched off and not transmitting.

The port is switched on if
- an authorized address accesses the port
or
- an unauthorized address attempts to access the port and trapOnly or none is selected under “Action”.

The port is switched off if
- an unauthorized address attempts to access the port and portDisable is selected under “Action”.

Allowed MAC Addresses

MAC addresses of the devices with which you allow data exchange on this port.

The graphical user interface allows you to enter up to 50 MAC addresses, each separated by a space. After each MAC address you can enter a slash followed by a number identifying an address area. This number, between 2 and 47, indicates the number of relevant bits. Example:
00:80:63:01:02:00/40 stands for
00:80:63:01:02:00 to 00:80:63:01:02:FF
or
00:80:63:00:00:00/24 stands for
00:80:63:00:00:00 to 00:80:63:FF:FF:FF

If there is no entry, any number of devices can communicate via this port.

Current MAC Address

Shows the MAC address of the device from which the port last received data. The graphical user interface allows you to copy an entry from the “Current MAC Address” column into the “Allowed MAC Addresses” column by dragging and dropping with the mouse button.

Allowed IP Addresses

IP addresses of the devices with which you allow data exchange on this port.

The graphical user interface allows you to enter up to 10 IP addresses, each separated by a space.

If there is no entry, any number of devices can communicate via this port.

“Dynamic Limit”

Specifies the upper limit for the number of automatically recorded senders. When the upper limit is reached, the device performs the action defined in the “Action” column.

Possible values:

  • 0 or  –  (default setting: –)

    Deactivates the automatic recording of the senders on this port.

  • 1..50

    Upper limit for the automatic recording of senders. Adjust the value to the number of expected senders. In this way you make MAC flooding attacks more difficult.

“Dynamic Count”

Shows how many senders the device has automatically recorded.

Action

Action performed by the device after an unauthorized access.

Possible values:

  • none (default setting)

    No action.

  • trapOnly

    Send alarm.

  • portDisable

    Disables the port. Then the port LED on the device blinks green 3 times per period.

    The device re-enables the port when you have defined the following settings in the Diagnostics:Ports:Auto Disable dialog:

    • In the “Configuration” frame, the checkbox for the “Port Security” triggering event is marked.

    • The reset timer is defined > 0 for the port.

  • autoDisable

    Disables the port depending on the settings in the Diagnostics:Ports:Auto Disable dialog, “Configuration” frame.

    • The device disables the port when the checkbox for the “Port Security” triggering event is marked. Then the port LED on the device blinks green 3 times per period.

      The device re-enables the port when the reset timer is defined >0 for the port in the Diagnostics:Ports:Auto Disable dialog for the port.

    • The port remains enabled when the checkbox for the “Port Security” triggering event is unmarked.

Note: Prerequisites for the device to be able to send an alarm (trap):
  • You have entered at least one recipient
  • You have selected at least one recipient in the “Active” column
  • In the “Selection” frame, you have selected “Port Security”

Note: The IP port security operates internally on layer 2. The device internally translates an allowed IP address into an allowed MAC address when you enter the IP address. An ARP request is used for this.Prerequisites for the IP-based port security:If you have entered a router interface as the allowed IP address, all the packets sent from this interface are considered allowed, since they contain the same MAC source address.If a connected device sends packets with the allowed IP address but a different MAC address, the Switch denies this data traffic. If you replace the device with the allowed IP address with a different one having the same IP address, enter the IP address in the Switch again so that the Switch can learn the new MAC address.

Buttons

Tab. Buttons (Forts.)

Button

Meaning

“Set”

Transfers the changes to the volatile memory (RAM) of the device. To permanently save the changes, open the Basic Settings:Load/Save dialog, select the location to save the configuration, and click “Save”.

“Reload”

Updates the fields with the values that are saved in the volatile memory (RAM) of the device.

“Wizard”

Opens the “Wizard”.

With the “Wizard” you assign the permitted MAC addresses to a port.

“Help”

Opens the online help.


Wizard – Select Port

The “Wizard” helps you to connect the device ports with one or more desired senders.

Tab. Wizard in the Security:Port Security dialog, “Select Port” page (Forts.)

Parameters

Meaning

“Select Port”

Defines the device port that you assign to the sender in the next step.


Wizard – Addresses

The “Wizard” helps you to connect the device ports with one or more desired senders. When you have defined the settings, click “Finish”. To save the changes afterwards, click Set in the “Security:Port Security” dialog.

Tab. Wizard in the Security:Port Security dialog, “Addresses” page (Forts.)

Parameters

Meaning

“Allowed MAC Addresses”

Lists the MAC Addresses allowed access to the port.

Possible values:

  • Valid Unicast MAC addresses

Click “Add” to transfer the MAC address to the “Allowed MAC Addresses” field.

“MAC Address”

Defines the MAC address allowed access to the port.

Possible values:

  • Valid Unicast MAC address

    Enter the value in one of the following formats:

    • without a separator, e.g. 001122334455

    • separated by spaces, e.g. 00 11 22 33 44 55

    • separated by colons, e.g. 00:11:22:33:44:55

    • separated by hyphens, e.g. 00-11-22-33-44-55

    • separated by points, e.g. 00.11.22.33.44.55

    • separated by points after every 4th character, e.g. 0011.2233.4455

Click “Add” to transfer the MAC address to the “Allowed MAC Addresses” field.

“Mask”

Defines number of significant digits in the MAC address range.

Possible values:

  • 1..48

Used this field to indicate the significant digits as with CIDR notation. For example, 00:11:22:33:44:00/40 indicates that the port allows devices with a MAC Address matching the first 5 groups of hexadecimal digits to access the network.

“Add”

Transfers the values specified in the “MAC Address” fields to the “Allowed MAC Addresses” field.

“Remove”

Removes the entries selected in the “Allowed MAC Addresses” field.


Wizard – Action

This dialog defines the actions that the device performs in the event of unauthorized access to the port.

Tab. Wizard in the Security:Port Security dialog, “Action” page (Forts.)

Name

Meaning

Action

Action performed by the device after an unauthorized access.

Possible values:

  • none (default setting)

    No action.

  • trapOnly

    Send alarm.

  • portDisable

    Disables the port. Then the port LED on the device blinks green 3 times per period.

    The device re-enables the port when you have defined the following settings in the Diagnostics:Ports:Auto Disable dialog:

    • In the “Configuration” frame, the checkbox for the “Port Security” triggering event is marked.

    • The reset timer is defined > 0 for the port.

  • autoDisable

    Disables the port depending on the settings in the Diagnostics:Ports:Auto Disable dialog, “Configuration” frame.

    • The device disables the port when the checkbox for the “Port Security” triggering event is marked. Then the port LED on the device blinks green 3 times per period.

      The device re-enables the port when the reset timer is defined >0 for the port in the Diagnostics:Ports:Auto Disable dialog for the port.

    • The port remains enabled when the checkbox for the “Port Security” triggering event is unmarked.

Note: Prerequisites for the device to be able to send an alarm (trap):
  • You have entered at least one recipient,
  • You have selected at least one recipient in the “Active” column
  • In the “Selection” frame, you have selected “Port Security”.

After closing the Wizard, click “Set” to save your settings.

Buttons

Tab. Buttons (Forts.)

Button

Meaning

“Back”

Displays the previous page again. Changes are lost.

“Next”

Saves the changes and opens the next page.

“Finish”

Saves the changes and completes the configuration.

“Cancel”

Closes the Wizard. Changes are lost.