Extreme Networks

onlineserv · ‎06-21-2021

Hi All,

I just took on a role at a new organization and am having some discussion with my manager around port security for which I have been tasked with setting up and configuring. From what I’ve been able to gather so far I have a couple of options where I can use/setup mac locking where (from what I understand) the switches can learn and lock the ports down based on what it finds (static mac locking) or I can set it up on a first come first serve basic (dynamic mac locking) which on the surface seems a little less secure.

Can someone here explain to me what the best approach would be to setup mac locking (port security) where I can learn (or import a list of mac addresses) and allow for inclusion of other devices should an acquisition take place? Forgive me but I’m relatively new to this and have never worked with Extreme switches, also can someone also provide me with a link to an article or documentation that outlines how I would go about setting this up?

Thank you,

S….

StephanH · ‎06-22-2021

Hi Shannon,

If you are looking for a reliable solution that allows you to easily learn and manage new MAC addresses, then the switches themselves are not the best solution. When managing MAC lists on switches, for example, it is hard to keep the information consistent across all switches and there is no option to lern new macs.

The solution to this problem is a Radius servers or NAC gateways. Specifically, Extreme's XMC (Extreme Management Center, new XIQ Site Engine) and NAC (Network Access Control) is a good solution for learning and managing MAC addresses. In addition, with NAC you can also create a set of rules that allows you to dynamically assign different rights or VLANs to individual groups to which the MAC addresses have been assigned.

Simplified, the process can look like this:

A new device is connected to a switch
The switch takes the MAC address and asks the NAC (Network Access Control / Radius) if the device with the MAC is allowed to enter the network and in which VLAN the device should communicate, as well as with which policy(ACL) the device should work.
The NAC reports this information back to the switch based on a set of rules (via radius protocol).
The switch implements this.

In NAC you can see at any time which end devices in the network are connected to which switch and a lot more of end system information.
New devices can be handled separately and then assigned to groups manually or automatically.
MAC addresses can also be imported via CSVs or via the API if desired.

See here:

https://www.extremenetworks.com/product/extreme-management-center/

https://www.extremenetworks.com/product/extremecontrol/

Regards Stephan

View solution in original post

onlineserv · ‎06-24-2021

Hey Stephan,

I figured out the NPS piece and was able to write up a pretty informative document and present it to my manager. The only piece I’m missing is the exact command needed to execute on the switch. Can you provide me with the command(s) I need to run on the switch to turn on mac locking for a 2 devices per port on a vlan basis I think it would look something like this

configure mac-locking ports first-arrival limit-learning 2

but I don’t know how to integrate the vlan into this, something else I’m looking to do is this, if a device isnt able to authenticate then I want to send that device to the Guest VLAN. Is this something you can assist me with?

Thank you,

Shannon

onlineserv · ‎06-24-2021

Thank you Stephan,

Couple of questions, in the article you sent me it outlines the process of creating a vlan, which I’m a little confused about, why do I need to create another vlan when all of the vlans I need are already in place or should I be starting with a configuration that is similar to this?

configure netlogin vlan name of existing vlan
enable netlogin mac
configure netlogin mac authentication database-order radius
configure netlogin add mac-list default

StephanH · ‎06-24-2021

Hello Shannon,

this article is a good starting point for you regarding EXOS with NPS:

https://extremeportal.force.com/ExtrArticleDetail?an=000080274

Regards Stephan

onlineserv · ‎06-23-2021

Thank you Stephan,

Based on costs, we will more than likely utilize Microsoft NPS. We currently leverage NPS for our wireless authentication, that said can you please provide me with a list of commands that I need to execute on the switches to make this work? Based on what I’ve seen at other sites it looks like I need to run a command much like this one here: configure mac-locking ports first-arrival limit-learning 2 is this correct and if so can you (or someone) explain to me what this command does?

It looks like it sets up mac-locking on the port for 2 devices (is this correct?) if so I have another couple of questions, with the first being how would I go about executing this command on a vlan basis and the second being how would the radius server fit into all of this and how would it go about tracking the macs and how would I go about managing this if in the event a device had to be replaced?

forgive me here, but I’m rather new to this, I understand basic network administration (vlan, tags, access ports, trunk ports, etc) and have never worked with extreme switches before so I’m reaching out to you guys for some guidance.

thank you in advance.

Shannon

Extreme Networks

Port Security Questions

Port Security Questions