Print this pagePrint this page

Email this topicEmail this topic

View PDFView PDF

Download EPUBDownload EPUB

Ethernet Port Security

To define a profile's Ethernet port configuration:

  1. Select Configuration > Profiles > Interface.

  2. Expand the Interface menu to display its submenu options.

  3. Select Ethernet Ports.

  4. To edit the configuration of an existing port, select it from amongst those displayed and select the Edit button.

  5. Select the Security tab.

  6. Refer to the Access Control field. As part of the port's security configuration, Inbound IP and MAC address firewall rules are required.

    Use the Inbound IP Firewall Rules and MAC Inbound Firewall Rules pull-down menus to select the firewall rules to apply to this profile's Ethernet port configuration.

    The firewall inspects IP and MAC traffic flows and detects attacks typically not visible to traditional wired firewall appliances.

  7. If a firewall rule does not exist suiting the data protection needs of the target port configuration, select the Create icon to define a new rule configuration. For more information, see Wireless Firewall.

  8. Refer to the Trust field to define the following:

    Trust ARP Responses

    Select the check box to enable ARP trust on this port. ARP packets received on this port are considered trusted and information from these packets is used to identify rogue devices within the network. The default value is disabled.

    Trust DHCP Responses

    Select the check box to enable DHCP trust on this port. If enabled, only DHCP responses are trusted and forwarded on this port, and a DHCP server can be connected only to a DHCP trusted port. The default value is enabled.

    ARP header Mismatch Validation

    Select this option to enable a mismatch check for the source MAC in both the ARP and Ethernet header. The default value is disabled.

    Trust 802.1p COS values

    Select the check box to enable 802.1p COS values on this port. The default value is enabled.

    Trust IP DSCP

    Select the check box to enable IP DSCP values on this port. The default value is enabled.
     
    Note: Some vendor solutions with VRRP enabled send ARP packets with Ethernet SMAC as a physical MAC and inner ARP SMAC as VRRP MAC. If this configuration is enabled, a packet is allowed, despite a conflict existing.

  9. Set the following 802.1X Settings:

    Host Mode

    Use the drop-down menu to select the host mode configuration to apply to this port. Options include single-host or multi-host. The default setting is single-host.

    Guest VLAN

    Specify a guest VLAN for this port from 1 - 4094. This is the VLAN traffic is bridged on if this port is unauthorized and the guest VLAN is globally enabled.

    Port Control

    Use the drop-down menu to set the port control state to apply to this port. Options inlcude force-authorized, force-unauthorized and automatic. The default setting is force-authorized.

    Re Authenticate

    Select this setting to force clients to reauthenticate on this port. The default setting is disabled, thus clients do not need to reauthenticate for connection over this port until this setting is enabled.

    Max Reauthenticate Count

    Set the maximum reauthentication attempts (1 - 10) before this port is moved to unauthorized. The default setting is 2.

    Maximum Request

    Set the maximum number of authentication requests (1 - 10) before returning a failed message to the requesting client. The default setting is 2.

    Quiet Period

    Set the quiet period for this port from 1 - 65,535 seconds.This is the maximum wait time 802.1x waits upon a failed authentication attempt. The default setting is 60 seconds.

    Reauthenticate Period

    Use the spinner control to set the reauthentication period for this port from 1 - 65,535 seconds. The default setting is 60 seconds.

    Port MAC Authentication

    When enabled, a port's MAC address is authenticated, as only one MAC address is supported per wired port. When successfully authenticated, packets from the source are processed. Packets from all other sources are dropped. Port MAC authentication is supported on RFS 4000, RFS 6000 model controllers and NX 4500, NX 6500 and NX 9000 series service platforms.

    Port MAC authentication may be enabled on ports in conjunction with Wired 802.1x settings for a MAC Authentication AAA policy.

  10. Select Enable within the 802.1x supplicant (client) field to enable a username and password pair used when authenticating users on this port. This setting is disabled by default. The password cannot exceed 32 characters.

  11. Select OK to save the changes made to the Ethernet port's security configuration. Select Reset to revert to the last saved configuration.

Published May 2018prev | next

Email this topicEmail this topic

Print this pagePrint this page