17
P
ORT
S
ECURITY
C
ONFIGURATION
Port Security
Configuration
Introduction to Port
Security
Port security is a security mechanism that controls network access. It is an expansion
to the current 802.1x and MAC address authentication. This scheme controls the
incoming/outgoing packets on port by checking the MAC addresses contained in
data frames, and provides multiple security and authentication modes; this greatly
improves the security and manageability of the system.
The port security scheme provides the following characteristics:
1
NTK: Need to know. By means of checking the destination MAC addresses in the
outbound packets of a given port, NTK can ensure that only authenticated devices
can receive the data packets, and thus prevent data from being intercepted.
2
Intrusion Protection: By means of checking the source MAC addresses in the inbound
packets of a given port, intrusion protection detects illegal packets and takes
necessary actions when necessary. These include disconnecting ports
temporarily/permanently, or filtering packets with the MAC addresses to ensure port
security.
3
Device Tracking: Refers to the feature that when certain types of data packets (due to
illegal intrusion, improper manner of logging on and off) are transmitted, the switch
will send Trap message to help the network administrators monitor and control such
actions.
4
Binding of MAC and IP addresses to ports: Binding the MAC addresses and IP
addresses of authorized users to designated ports of a switch, so that only authorized
users can access the ports and thereby enhances the system security.
Port Security Modes
Table 65 describes the available security modes in details:
Table 65
Description of the port security modes
Security
mode
Description
Feature
autolearn
the learned MAC addresses will be changed to Security
MAC addresses.
This security mode will automatically change to the
secure
mode after the system has learned the maximum
number of Security MAC from this port, and new
Security MAC cannot be added.
The packets whose original MAC addresses are not the
current Security MAC addresses cannot pass the port.
In this mode, only
the NTK and
Intrusion Protection
features take effect.
secure
In this mode, the system is disabled from learning MAC
addresses from this port.
Only the packets whose original MAC addresses are the
configured static MAC addresses can pass the port.
userlogin
In this mode, port-based 802.1x authentication is
performed for connected users.
In this mode, the
NTK and Intrusion
Protection features
do not take effect.
Summary of Contents for 4200G 12-Port
Page 10: ...8 CONTENTS...
Page 14: ...4 ABOUT THIS GUIDE...
Page 46: ...32 CHAPTER 5 LOGGING IN THROUGH WEB BASED NETWORK MANAGEMENT SYSTEM...
Page 48: ...34 CHAPTER 6 LOGGING IN THROUGH NMS...
Page 60: ...46 CHAPTER 9 VLAN CONFIGURATION...
Page 64: ...50 CHAPTER 10 MANAGEMENT VLAN CONFIGURATION...
Page 80: ...66 CHAPTER 13 GVRP CONFIGURATION...
Page 98: ...84 CHAPTER 15 LINK AGGREGATION CONFIGURATION...
Page 112: ...98 CHAPTER 18 MAC ADDRESS TABLE MANAGEMENT...
Page 126: ...112 CHAPTER 19 LOGGING IN THROUGH TELNET...
Page 162: ...148 CHAPTER 20 MSTP CONFIGURATION...
Page 274: ...260 CHAPTER 29 IGMP SNOOPING CONFIGURATION...
Page 276: ...262 CHAPTER 30 ROUTING PORT JOIN TO MULTICAST GROUP CONFIGURATION...
Page 298: ...284 CHAPTER 33 SNMP CONFIGURATION...
Page 304: ...290 CHAPTER 34 RMON CONFIGURATION...
Page 338: ...324 CHAPTER 36 SSH TERMINAL SERVICES...
Page 356: ...342 CHAPTER 38 FTP AND TFTP CONFIGURATION...
Page 365: ...Information Center Configuration Example 351 S4200G terminal logging...
Page 366: ...352 CHAPTER 39 INFORMATION CENTER...
Page 378: ...364 CHAPTER 40 BOOTROM AND HOST SOFTWARE LOADING...
Page 384: ...370 CHAPTER 41 Basic System Configuration and Debugging...
Page 388: ...374 CHAPTER 43 NETWORK CONNECTIVITY TEST...
Page 406: ...392 CHAPTER 45 CONFIGURATION OF NEWLY ADDED CLUSTER FUNCTIONS...