This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Port Security Questions

Port Security Questions

Go to solution
onlineserv
New Contributor

‎06-21-2021 08:06 PM

Hi All,

I just took on a role at a new organization and am having some discussion with my manager around port security for which I have been tasked with setting up and configuring. From what I’ve been able to gather so far I have a couple of options where I can use/setup mac locking where (from what I understand) the switches can learn and lock the ports down based on what it finds (static mac locking) or I can set it up on a first come first serve basic (dynamic mac locking)  which on the surface seems a little less secure. 

Can someone here explain to me what the best approach would be to setup mac locking (port security) where I can learn (or import a list of mac addresses) and allow for inclusion of other devices should an acquisition take place? Forgive me but I’m relatively new to this and have never worked with Extreme switches, also can someone also provide me with a link to an article or documentation that outlines how I would go about setting this up? 

Thank you,

S….

0 Kudos
1 ACCEPTED SOLUTION

Go to solution
StephanH
Valued Contributor III

‎06-22-2021 06:13 PM

Hi Shannon,

If you are looking for a reliable solution that allows you to easily learn and manage new MAC addresses, then the switches themselves are not the best solution. When managing MAC lists on switches, for example, it is hard to keep the information consistent across all switches and there is no option to lern new macs.

The solution to this problem is a Radius servers or NAC gateways. Specifically, Extreme's XMC (Extreme Management Center, new XIQ Site Engine) and NAC (Network Access Control) is a good solution for learning and managing MAC addresses. In addition, with NAC you can also create a set of rules that allows you to dynamically assign different rights or VLANs to individual groups to which the MAC addresses have been assigned.

Simplified, the process can look like this:

  1. A new device is connected to a switch
  2. The switch takes the MAC address and asks the NAC (Network Access Control / Radius) if the device with the MAC is allowed to enter the network and in which VLAN the device should communicate, as well as with which policy(ACL) the device should work.
  3. The NAC reports this information back to the switch based on a set of rules (via radius protocol).
  4. The switch implements this.

In NAC you can see at any time which end devices in the network are connected to which switch and a lot more of end system information.
New devices can be handled separately and then assigned to groups manually or automatically. 
MAC addresses can also be imported via CSVs or via the API if desired.

See here: 

https://www.extremenetworks.com/product/extreme-management-center/

https://www.extremenetworks.com/product/extremecontrol/

 

Regards Stephan

View solution in original post

0 Kudos
11 REPLIES 11

Go to solution
StephanH
Valued Contributor III

‎06-23-2021 01:33 PM

Here is for example the FreeRadius documentation:

 

https://wiki.freeradius.org/guide/mac-auth

 

 

Regards Stephan
0 Kudos

Go to solution
StephanH
Valued Contributor III

‎06-23-2021 01:32 PM

The easiest way is to use XMC with NAC (ExtremeControl), there you have the most features and the best overview.

If you do not want to use XMC and NAC (ExtremeControl). E.g. for financial reasons you could also implement the whole thing with a FreeRadius or Microsoft NPS (both are pure Radius servers).

Regards Stephan
0 Kudos

Go to solution
onlineserv
New Contributor

‎06-23-2021 01:22 PM

Thank you Stephan,

Can you point me to an article that would outline how I would go about doing this with a radius server? or am I misunderstanding something in the sense of what I would use is the XMC with radius?

Thank you,

Shannon

0 Kudos

Go to solution
StephanH
Valued Contributor III

‎06-22-2021 06:13 PM

Hi Shannon,

If you are looking for a reliable solution that allows you to easily learn and manage new MAC addresses, then the switches themselves are not the best solution. When managing MAC lists on switches, for example, it is hard to keep the information consistent across all switches and there is no option to lern new macs.

The solution to this problem is a Radius servers or NAC gateways. Specifically, Extreme's XMC (Extreme Management Center, new XIQ Site Engine) and NAC (Network Access Control) is a good solution for learning and managing MAC addresses. In addition, with NAC you can also create a set of rules that allows you to dynamically assign different rights or VLANs to individual groups to which the MAC addresses have been assigned.

Simplified, the process can look like this:

  1. A new device is connected to a switch
  2. The switch takes the MAC address and asks the NAC (Network Access Control / Radius) if the device with the MAC is allowed to enter the network and in which VLAN the device should communicate, as well as with which policy(ACL) the device should work.
  3. The NAC reports this information back to the switch based on a set of rules (via radius protocol).
  4. The switch implements this.

In NAC you can see at any time which end devices in the network are connected to which switch and a lot more of end system information.
New devices can be handled separately and then assigned to groups manually or automatically. 
MAC addresses can also be imported via CSVs or via the API if desired.

See here: 

https://www.extremenetworks.com/product/extreme-management-center/

https://www.extremenetworks.com/product/extremecontrol/

 

Regards Stephan
0 Kudos

Go to solution
SamPirok
Community Manager Community Manager
Community Manager

‎06-22-2021 05:53 PM

Thanks for letting us know. I found this article about enabling MAC-locking, but I’m still looking for something that goes through importing a list of MAC addresses: https://documentation.extremenetworks.com/exos_commands_22.3/EXOS_21_1/EXOS_Commands_All/r_enable-ma...

0 Kudos
Top
GTM-P2G8KFN