To edit or override security configuration of a port:
The firewall inspects MAC traffic flows and detects attacks typically not visible to traditional wired firewall appliances.
IPv4 is a connectionless protocol for packet switched networking. IPv4 operates as a best effort delivery method, as it does not guarantee delivery, and does not ensure proper sequencing or duplicate delivery (unlike (TCP). IPv4 hosts can use link local addressing to provide local connectivity.
IPv6 is the latest revision of the Internet Protocol designed to replace IPv4. IPV6 provides enhanced identification and location information for computers on networks routing traffic across the Internet. IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons.
Trust ARP Responses | Select this option to enable ARP trust on this port. ARP packets received on this port are considered trusted, and the information from these packets is used to identify rogue devices within the network. This option is disabled by default. |
Trust DHCP Responses | Select this option to enable DHCP trust on this port. If enabled, only DHCP responses are trusted and forwarded on this port, and a DHCP server can be connected only to a DHCP trusted port. This option is enabled by default. |
ARP header Mismatch Validation | Select this option to enable a mismatch check for the source MAC in both the ARP and Ethernet header. This option is disabled by default. |
Trust 802.1p COS values | Select this option to enable 802.1p COS values on this port. This option is enabled by default. |
Trust IP DSCP | Select this option to enable IP DSCP values on this port. This option is enabled by default. |
Note
Some vendor solutions with VRRP enabled send ARP packets with Ethernet SMAC as a physical MAC and inner ARP SMAC as VRRP MAC. If this configuration is enabled, a packet is allowed, even when a conflict exists.Trust ND Requests | Select this option to enable the trust of neighbor discovery requests required on an IPv6 network on this Ethernet port. This option is disabled by default. |
Trust DHCPv6 Responses | Select this option to trust all DHCPv6 responses on this Ethernet port. DHCPv6 is a networking protocol for configuring IPv6 hosts with IP addresses, IP prefixes, or other configuration attributes required on an IPv6 network. This option is enabled by default. |
ND Header Mismatch Validation | Select this option to enable a mismatch check for the source MAC within the ND header and Link Layer Option. This option is disabled by default. |
RA Guard | Select this option to enable router advertisements or ICMPv6 redirects from this Ethernet port. This option is enabled by default. |
Host Mode | Select the port mode for 802.1X authentication. Select single-host to bridge traffic from a single authenticated host. Select multi-host to bridge traffic from any host to this port. The default setting is single-host. |
Guest VLAN | Specify a guest VLAN for this port from 1 - 4094. This is the VLAN traffic is bridged on if this port is unauthorized and the guest VLAN is globally enabled. |
Port Control | Set the way in which the port bridges traffic. Select one
of the following options:
The default setting is force-authorized. |
Re Authenticate | Select this option to enable or disable re-authentication. Re-authentication is primarily used to refresh the current state of the selected port. When enabled the client devices are forced to re authenticate on this port. When this happens, the port is still considered authenticated. If re authentication fails, the port is considered unauthorized and devices using the port are denied access. The option is disabled by default. |
Max Reauthenticate Count | Set the number of re-authentication attempts (1-10) when a port tries to re-authenticate and fails. Once this count exceeds, the port is considered unauthorized. The default setting is 2. |
Quiet Period | Set the quiet period for this port from 1 - 65,535 seconds. This is the maximum wait time 802.1x waits upon a failed authentication attempt. The default setting is 60 seconds. |
Reauthenticate Period | Set the duration after which a controlled port is forced to reauthenticate. Set a value from 0 - 65535 seconds. The default setting is 3600 seconds. |
Port MAC Authentication | Enables MAC address authentication on the selected port. When enabled, a port‘s MAC address is authenticated, as only one MAC address is supported per wired port. When successfully authenticated, packets from the source are processed. Packets from all other sources are dropped. Port MAC authentication may be enabled on ports in conjunction with Wired 802.1x settings for a MAC Authentication AAA policy. This option is disabled by default. |
Enable | Select to enable 802.1X port-based authentication of
802.1X-capable supplicant (client) on the selected wired
port. The IEEE 802.1X port-based authentication protocol restricts unauthorized LAN access by enforcing supplicant authentication at the port. When a supplicant associates with a IEEE 802.1X enabled wired port, normal traffic across the port is suspended until the supplicant is successfully authenticated. Once the supplicant is successfully authenticated, the port status changes to authorized and normal traffic flow resumes. During the suspended state, only EAP over LAN traffic is allowed across the wired port. Note: This
feature is disabled by default.
|
Method | Select the mode of authentication:
|
Username | Select this checkbox and specify the supplicant‘s
username. Note: This is
required only if the Method of authentication is set to
Username.
|
Password | Sets the password associated with the supplicant username
specified above. Note: This is
required only if the Method of authentication is set to
Username.
|
Trustpoint | Select this checkbox and specify the
trustpoint name. In EAP-TLS authentication, the supplicant and RADIUS server authenticate each other using trustpoint certificates. A trustpoint represents a CA/identity pair containing the identity of the CA, CA specific configuration parameters, and an association with an enrolled identity certificate. Note: Ensure
that the trustpoint certificate is installed on the
supplicant and the RADIUS server.
|