Chapter 14: Setting MAC Address-based Port Security

Overview

Static Versus

Dynamic

Addresses

Intrusion Actions

This feature lets you control access to the ports on the switch based on the source MAC addresses of the network devices. You specify the maximum number of source MAC addresses that ports can learn. Ports that learn their maximum number of addresses discard packets that have new, unknown addresses, preventing access to the switch by any additional devices.

For example, if you configure port 3 on the switch to learn five source MAC addresses, the port learns up to five address and forwards the ingress packets of the devices that belong to those addresses. If the port receives ingress packets that have source MAC addresses other than the five it has already learned, it discards those packets to prevent the devices from passing traffic through the switch.

The MAC addresses that the ports learn can be stored as either static or dynamic addresses in the MAC address table in the switch. Ports that store the addresses as static addresses do not learn new addresses after they have learned their maximum number. In contrast, ports that store the addresses as dynamic addresses can learn new addresses when addresses are timed out from the table by the switch. The addresses are aged out according to the aging time of the MAC address table.

The intrusion actions define what the switch does when ports that have learned their maximum number of MAC addresses receive packets that have unknown source MAC addresses. Intrusion actions are also called violation actions. The possible settings are:

Protect - Ports discard those frames that have unknown MAC addresses. No other action is taken. For example, if port 14 is configured to learn 18 addresses, it starts to discard packets with unknown source MAC addresses after learning 18 MAC addresses.

Restrict - This is the same as the protect action, except that the switch sends SNMP traps when the ports discard frames. For example, if port 12 is configured to learn two addresses, the switch sends a trap every time the port, after learning two addresses, discards a packet that has an unknown MAC address.

Shutdown - The switch disables the ports and sends SNMP traps. For example, if port 5 is configured to learn three MAC addresses, it is disabled by the switch to prevent it from forwarding any further traffic if it receives a packet with an unknown source MAC address, after learning three addresses. The switch also sends an SNMP trap.

156

Page 155 Page 157
Page 156
Image 156
Allied Telesis AT-9000/52, AT-9000/28SP manual Overview, Static Versus Dynamic Addresses Intrusion Actions
Page 155 Page 157

AT-9000/52, AT-9000/28SP, AT-9000/28 specifications

The Allied Telesis AT-9000/28 is a versatile and robust network switch designed for organizations seeking to enhance their networking capability. This Layer 2 managed switch delivers a high degree of performance and reliability, making it an ideal choice for businesses that require a seamless network experience.

One of the main features of the AT-9000/28 is its 28 ports, which include 24 Fast Ethernet ports and 4 Gigabit Ethernet uplink ports. This allows for flexible network configuration and scalability, accommodating both wired and wireless devices efficiently. The switch also supports auto-negotiation and auto-MDI/MDI-X, which simplifies installation and connectivity by automatically detecting and configuring the appropriate settings.

The AT-9000/28 employs advanced switching technologies, such as IEEE 802.1Q VLAN tagging, which enables the segregation of traffic for improved security and performance. This feature is crucial for businesses that require data isolation between different departments or user groups. In addition, the switch supports quality of service (QoS) protocols, allowing for traffic prioritization. This is particularly beneficial for organizations that handle multimedia applications or VoIP services that demand reliable bandwidth.

Another significant characteristic of the AT-9000/28 is its support for port mirroring. This capability is essential for network monitoring and troubleshooting, as it allows administrators to track and analyze network traffic efficiently. Furthermore, the switch supports multiple user authentication methods, including RADIUS and TACACS+, thus enhancing network security.

The AT-9000/28 is built with energy efficiency in mind, featuring Energy Efficient Ethernet (EEE) technology. This reduces power consumption during periods of low traffic without compromising performance, which aids in lowering overall operational costs.

In terms of management, the AT-9000/28 offers versatile management options, including a web-based GUI, Command Line Interface (CLI), and SNMP support. This flexibility enables network administrators to configure, monitor, and troubleshoot the switch easily.

Overall, the Allied Telesis AT-9000/28 is a reliable switch well-suited for a variety of network environments. Its combination of performance, security features, and energy efficiency makes it an excellent choice for organizations looking to optimize their network infrastructure. With robust capabilities and advanced technologies, the AT-9000/28 stands out as a valuable addition to any networking setup.
Top Page Image Contents