00.00.00.00.00.0A | Enterasys Networks 2E253, 2H253, 2H252, 2H258

Example 6, Locking a MAC Address to a Port Using Classification Rules

In this example, the AppleTalk traffic is routed only to AppleTalk users (ports 1, 2, 5, and 6), while IP traffic is allowed to be seen by IP users (ports 3, 4, and 7) and by IP/AppleTalk users (ports 1, 2, 5, and 6).

12.17EXAMPLE 6, LOCKING A MAC ADDRESS TO A PORT USING CLASSIFICATION RULES

The following example illustrates how to add security by “locking” an individual MAC address to a port on the SmartSwitch device (S1). This would typically be done to ensure that only a particular device can gain access to the network from a specific port. Traffic received by the switch from any MAC address other than the one assigned to the “locked” port will be discarded.

In this example, illustrated in Figure 12-19, Switch S1 will be configured to lock ports 1 and 2 to the source address 00.00.00.00.00.0A and 00.00.00.00.00.0B of Workstation 1 and 2, respectively.

Figure 12-19 Example 6, Locking Ports According to Classification Rule

Workstation 1

00.00.00.00.00.0A

Locked	Port 1

Ports	Port 2

Workstation 2

00.00.00.00.00.0B

S1

Uplink to Network

30691_76

12.17.1 Solving the Problem

Switch S1 needs to be configured with two 802.1Q VLANs. Since the switch, by default, already has one VLAN created (the Default VLAN), only one new VLAN will need to be created. In this example, the new VLAN will be named the Red VLAN.

12-36VLAN Operation and Network Applications

Image 368

Enterasys Networks 2E253, 2H253, 2H252, 2H258 manual 00.00.00.00.00.0A

Contents

SmartSwitch 2200 Series Page Page Enterasys NETWORKS, INC Program License Agreement Page Page Contents Device Configuration Menu Screens Port Configuration Menu Screens Configuration Menu Screens Layer 3 Extensions Menu Screens Network Tools Screens Generic Attribute Registration Protocol Garp Figures Xiii Xiv Tables Xvi Tables Using this Guide About This Guide Structure of this Guide Xix Related Documents Document Conventions Typographical and Keystroke Conventions Bold typePage Introduction Overview Management Agent Local Management Requirements In-Band vs. Out-of-BandNavigating Local Management Screens Local Management Screen Elements None Defined Event Message Field Display FieldsInput Fields Selection Fields Command Fields Local Management Keyboard Conventions Getting Help Your email addressPage Management Terminal Setup Local Management Requirements 2H252-25R SmartSwitch device is shown in -1as an example Console Cable Connection Management Terminal Setup Parameters VT100ID Monitoring AN Uninterruptible Power Supply Telnet Connections DB9 Port RJ45 COM Port Page Accessing Local Management 802.1Q Switching Mode, LM Screen Hierarchy Using the Exit Command Using the Return CommandSelecting Local Management Menu Screen Items Exiting Local Management Screens Using the Next and Previous Commands Using the Clear Counters CommandPassword Screen When to Use How to Access Screen Example Enter Device Menu Screen Screen Navigation Path Configuration Menu DescriptionsDevice Menu Security NetworkTools Cont’d Section Overview of Security Methods Host Access Control Authentication Haca Overview of Security Methods 14Accessing Local Management 2 802.1X Port Based Network Access Control Definitions of Terms and Abbreviations 2.2 802.1X Security Overview MAC Authentication Overview Authentication Method SelectionAuthentication Method Sequence Concurrent Operation of 802.1X and MAC Authentication MAC 20Accessing Local Management MAC Authentication Control Security Menu Screen Refer to -4for a functional description of each menu item Passwords Name ServicesAuthentication Radius Passwords Screen Module Login Passwords Screen Switch Field Descriptions Setting the Module Login Password Radius Configuration Screen Timeout Retries Last Resort Action/Local Selectable Last Resort Action/Remote ToggleRadius Client IP Address Setting the Last Resort Authentication Setting the Local and Remote Servers Name Services Configuration Screen Name Services Configuration Screen Switch Name Modifiable Name ServicesWeb Authentication Secure Harbour IP System Authentication Configuration Screen System Authentication Configuration Screen Authentication Authenticated , or UnauthenticatedSystem Port # EAP Port Configuration Screen EAP Port Configuration Screen Port Authentication State Backend State Port Control Maximum Requests Initialize PortForce Reauth EAP Statistics Menu Screen 10 EAP Statistics Menu Screen EAP Session AuthenticatorEAP Diagnostic EAP Session Statistics Screen When to Use 11 EAP Session Statistics Screen Authenticate Server or a local Authentication Server Method SessionIDSessionOctetsRx SessionOctetsTx EAP Authenticator Statistics Screen When to Use Clear Counters CommandSession User Name Port Number 12 EAP Authenticator Statistics Screen Clear Counters EAP Diagnostic Statistics Screen When to Use 13 EAP Diagnostic Statistics Screen Enters Connecting Logoffs ConnectingAuthenticating Timeouts Authenticated Access ChallengesBackend Statistics Responses Other Requests To Counters MAC Port Configuration ScreenClear Port Enable 14 MAC Port Configuration Screen MAC Supplicant Configuration Screen SET ALL Ports Duration MAC Address Reauthenticate Sup Initialize SupplicantPlicant False Device Configuration Menu Screens Device Configuration Menu Screen General Configuration General SnmpResources Information General Configuration Screen 0.0 Default Gateway Subnet MaskTftp Gateway IP Addr Operational Mode Device TimeScreen Refresh Time Agg Mode Clear NvramIP Fragmentation WebView Setting the IP Address Configuration Warning Screen, IP Address Setting the Subnet Mask Configuration Warning Screen, Subnet Mask Setting the Default Gateway Setting the Tftp Gateway IP Address Setting the Module Name Setting the Device Date Entering a New Screen Refresh Time Setting the Device TimeSetting the Screen Lockout Time Configuring the COM Port Changing the COM Port Application COM Port Warning Clearing Nvram UPS Enabling/Disabling IP Fragmentation Clear Nvram Warning Snmp Configuration Menu Screen Snmp Configuration Menu Screen Snmp Community Names Configuration Screen Snmp Community Names Configuration Screen Establishing Community Names Snmp Traps Configuration Screen Snmp Traps Configuration Screen Configuring the Trap Table Enable TrapsTrap Destination Trap Community Access Control List Screen 10 Access Control List Screen Access Control Lists IP Addr Mask Entering IP AddressesEntering Single Addresses Entering Ranges of Addresses Enable/Disable ACL System Resources Information Screen XX KB Setting the Reset Peak Switch Utilization Flash Download Configuration Screen 12 Flash Download Configuration Screen Flash Download Configuration Screen Field Descriptions Reboot After DownloadDownload Server IP Download File Image File Download Using Runtime Configuration File Download Using Tftp Configuration File Upload Using Tftp 36Device Configuration Menu Screens Port Configuration Menu Screens Port Configuration Menu Screen Port Configuration Menu Screen in Agg Mode, Huntgroup Ethernet InterfaceHSIM/VHSIM Redirect Ethernet Interface Configuration Screen Intf Port Type Config LinkSpeed Duplex Ethernet Port Configuration Screen HDX FC Refer to -3for a functional description of each screen field Default Speed Default DuplexInterface Physical Port 10Port Configuration Menu Screens Full Duplex Flow ControlHalf Duplex Flow Save to ALL Selecting Field Settings Setting the Advertised Ability Configuration Menu HSIM/VHSIM Configuration ScreenRedirect Configuration Menu Screen Redirect Configuration Menu Screen Port Redirect Configuration Screen Source Port Destination Port Redirect Errors Frame FormatSource Port n Status Changing Source and Destination Ports Vlan Redirect Configuration Screen Vlan Redirect Configuration Screen Source Vlan Source Vlan n Changing Source Vlan and Destination Ports Usage Notes Aggregation Menu Rapid Reconfiguration Spanning Tree Definitions to Know Link Aggregation 802.3ad Main Menu Screen 1 802.3ad Port Screen When to Use Aggregator 802.3ad Port Screen Viewing and Editing 802.3ad Port Parameters AggregatorOperKey MUX 1.1 802.3ad Port Details Screen When to Use 10 802.3ad Port Details Screen ActorSystemPriority Port Instance PartnerAdminSysID ActorOperState PartnerOperState Stats Displaying Port StatisticsLagid 1.2 802.3ad Port Statistics Screen When to Use 11 802.3ad Port Statistics Screen LACPDUsRx IllegalRxMarkerPDUsRx LACPDUsTx LastRxTimedelta ActorChurnStatePartnerChurnState ActorChurnCount 2 802.3ad Aggregator Screen When to Use 12 802.3ad Aggregator Screen Viewing and Editing 802.3ad Aggregator Parameters Displaying Aggregator DetailsAggInst SysPri 2.1 802.3ad Aggregator Details Screen When to Use 13 802.3ad Aggregator Details Screen Instance Partner 3 802.3ad System Screen When to Use 14 802.3ad System Screen Broadcast Suppression Configuration Screen System IdentifierNumber of Ports Number Port # Total RX Setting the Threshold Setting the Reset Peak Configuration Menu Screens 802.1 Configuration Menu Screen 802.1 Configuration Menu Screen 802.1p Spanning Tree802.1Q Vlan Spanning Tree Configuration Menu Screen Tree Configuration Menu Spanning Tree Configuration Screen Vlan AgeTime Current STP Mode ConfiguredPriority Operation Configuring a Vlan Spanning Tree Spanning Tree Port Configuration Screen Spanning Tree Port Configuration Screen STP Vlan ID Switch AddressAge Time Viewing Status of Spanning Tree Ports Enabling/Disabling the Default Spanning Tree PortsPvst Port Configuration Screen Port Designated CorrespondingPort Designated Root Port Priority Port Designated CostPort State Port Designated PortPage 802.1Q Vlan Configuration Menu Screens Vlan Configuration Menu Preparing for Vlan Configuration Summary of Vlan Local Management 802.1Q Vlan Configuration Menu Screen 802.1Q Vlan Configuration Menu Screen Vlan Port Static VlanCurrent Vlan Static Vlan Configuration Screen Classification Vlan ID FDB ID Creating a Static Vlan Vlan NameADD DEL Marked Displaying the Current Static Vlan Port Egress List Renaming a Static Vlan Deleting a Static Vlan Paging Through the Vlan List Static Vlan Egress Configuration Screen Static Vlan Egress Configuration Screen Egress Setting the Same Egress Type on All Ports Simultaneously Setting Egress Types on PortsSetting the Egress Type on One or More Ports Individually Current Vlan Configuration Screen Displaying the Next Group of Ports Vlan Type Read-Only An example of a dynamic Vlan is a Gvrp Vlan Current Vlan Egress Configuration Screen Current Vlan Egress Configuration Screen Vlan Port Configuration Screen Policy Pvid Override is Pvid Changing the Port Mode Configuring the Vlan Ports Vlan Classification Configuration Screen Admit Tagged Frames only VID VID Classification DescriptionDEL ALL/DEL Marked 0x0000 0x00000000 000000.000.000.000 Tftp Http DNS Smtp Src TCP Port FTP Data Nlsp IPX WAN Custom 00-00-00-00-00-00 Classification Precedence Rules Layer Classification Precedence Example Displaying the Current Classification Rule Assignments Assigning a Classification to a VID Protocol Port Configuration Screen Deleting Line ItemsDeleting All Classification Rules Deleting One or More Classification Rules Protocol Port Configuration Screen Classify Classification RuleField Assigning Ports to a VID/Classification Assigning One or More Ports IndividuallyAssigning All Ports Simultaneously SET Ports to Assigning VID/Classification to Port Vlan Lists 802.1p Configuration Menu Screen Navigation Paths 802.1p Configuration Menu Screen When to Use Port Priority Configuration Port Priority Traffic ClassTransmit Queues Port Priority Configuration Screen Port Priority Configuration Screen Set Setting Switch Port Priority Port-by-PortPolicy Override Setting Switch Port Priority on All Ports Traffic Class Information Screen Traffic Class Information Screen Traffic Class Information Screen Field Descriptions Traffic Class Configuration Screen Traffic Class Configuration Screen Save Assigning the Traffic Class to Port PriorityTraffic Class Transmit Queues Configuration Screen Transmit Queues Configuration Screen Weights Q0, Q1 Current QueueingMode Q2, Q3 Setting the Current Queueing Mode Priority Classification Configuration Screen PID PID 18802.1p Configuration Menu Screens No Change TOS=PID Custom TCP No Change TOS=PID Custom Dest IP Address Mask New IP TOS Tftp Src TCP Port New IP TOS FTP Data IP Fragments New IP TOS IP Fragments2 Start End New IP TOS 00000 Dest TCP Port Start End New IP TOS 00000 SAP 28802.1p Configuration Menu Screens Layer About the IP TOS Rewrite Function Displaying the Current PID/Classification Assignments Assigning a Classification to a PID Deleting One or More Line Items Deleting PID/Classification/Description Line ItemsDeleting All Line Items Protocol Port Configuration Screen See which ports are set to the PID/Classification indicated Assigning Ports to a PID/Classification Solving the Problem Switch Rate Limiting Configuration Screen Priority List Maximum Feature Port Number Modifiable Port Type Direction Configuring a Port 42802.1p Configuration Menu Screens Changing/Deleting Port Line Items Changing One or More Line Items More About Rate Limiting Rate Limiting Configuration Screen Page Layer 3 Extensions Menu Screens Layer 3 Extensions Menu Screen IGMP/VLAN Layer 3 Extensions Menu Screen IGMP/VLAN Configuration Screen Igmp Version 120 Query Interval Query ResponseRobustness Last Member Query Switch Query IP McastMartPoolSizeQuerier Address Querier Uptime IGMP/VLAN Configuration Procedure Igmp StatePage Device Statistics Menu Screens Device Statistics Menu Screen Lists the number of frames received, transmitted, filtered, Switch Statistics Screen Rmon Frames Fltrd Frames RcvdFrames Txmtd Interface Statistics Screen Frames Frwded InOctets Interface Statistics Screen InErrors OutErrorsInUnicast InNonUnicast Displaying Interface Statistics MTU Rmon Statistics Screen Rmon Statistics Screen CRC Align Errors Rmon IndexData Source Owner Oversized Pkts FragmentsJabbers Total Packets Index nn Displaying Rmon Statistics1024 1518 Octets Network Tools Screens Screen ExampleNetwork Tools Help Screen Refer to -1for a list of the commands Command Alias Examples Alias Stats Arp Arp-a Syntax Bridge ENABLE/DISABLE IFNUM/ALL Options ArplearnBridge Syntax Arplearn normal limited status Options Defroute Syntax Cdp enable/disable/status OptionsCdp Vid DynamicegressSyntax dynamicegress action vid Options action Syntax Enable Group Disable Group Trap #ALL Commands for Listing Events Syntax igmpv3drop enable disable status GigabitportmodeIgmpv3drop Syntax gigabitportmode active redundant status Lgframeadmin Syntax linktrap enable/disable/status PORT/all Syntax loopbackdetect enable disable stateLinktrap Loopbackdetect Maclock Syntax maclock show port# all Syntax Maclock set enable port# all global Maclock set disable port# all globalMaclock set macaddress port# all create enable disable Maclock set trap port# all enable disable Maclock show Stations Maclock set enable global Netstat Nonbridgeifnum Syntax nonbridgeifnum 0 9999 status PassiveStp Ping Policy Syntax policy show profile profileindexPolicy show port portnumberorrangeorall Policy set port portnumberorrangeorall profileindex Examples Contiued Policy show port Radius 11-24Network Tools Screens Character string for the shared secret code. For security Radius client Examples Cont’d Syntax ratelimitmode status highrange default lowrangeRatelimitmode Reset Syntax reset Options None Example -reset Syntax Satsize 8 16 status Options SatsizeShow Show Appletalk interfaces Softreset Syntax softreset Options NoneStpEdgePort Syntax stpEdgePort status StpForceVersion Syntax StpForceVersion 0 2 status Options Syntax stpLegacyPathCost enable disable status StpLegacyPathCostRecommended Value StpPointToPointMAC StpRealTimeMsgAge Syntax stpRealTimeMsgAge enable disable statusStpPort Syntax Suppresstopologytraps enable disable Options SuppresstopologytrapsTelnet Syntax Telnet IP address Port # Options Timedsoftreset TimedresetSyntax timedsoftreset status t seconds resetnv dontresetnv Syntax timedreset status t seconds resetnv dontresetnv Traceroute Syntax Traceroute IP address Options VrrpPort EXAMPLE, Effects of Aging Time on Dynamic Egress Done, quit, exit Options None Example -done Vlan Operation and Network Applications Defining VLANs Example of a Vlan Other Vlan Strategies Types of VLANs12.2.1 802.1Q VLANs Ingress Benefits and RestrictionsVlan Terms Default Vlan Filtering DatabaseIdentifier FDB ID Tagged Frame Qcstp Garp Garp VlanGvrp Gmrp Configuration Process Vlan Operation Vlan Switch Operation Defining a VlanClassifying Frames to a Vlan Customizing the Vlan Forwarding List FID Receiving Frames from Vlan Ports Untagged FramesTagged Frames Forwarding Decisions Known Unicasts Vlan ConfigurationManaging the Switch Switch Without VLANs Switch with VLANs Switch Management with VLANs 12-14VLAN Operation and Network Applications 3069162 Quick Vlan Walkthrough Assigning a Vlan ID and Vlan Name Walkthrough Stage One, Static Vlan Configuration Screen Assigning Ports to the Vlan Egress list Walkthrough Stage Two, Port 3 Egress Setting Configuring the Port Parameters Walkthrough Stage Three, Port 10 Egress Setting Walkthrough Stage Four, Vlan Port Configuration Example 1, Single Switch Operation Examples For the Red Vlan 11 Switch Configured for VLANs Frame Handling Example 2, VLANs Across Multiple Switches Redco Blue Industries 12-26VLAN Operation and Network Applications Switch 12-28VLAN Operation and Network Applications Redco Blue Industries User a Blue Industries Redco 15 Transmitting to Bridge Switches 1 Finance Department Example 5, Using Dynamic Egress to Control Traffic PCs 00.00.00.00.00.0A Switch SET ALL Ports no Vlan Operation and Network Applications Page Generic Attribute Registration Protocol Garp HOW IT Works About Igmp Supported Features and Functions Detecting Multicast Routers Page Index Numerics Index-2 Index-3 Index-4 Index-5 Index-6 Index-7 Index-8 Index-9 Index-10 Index-11