Port Security

The device allows you to configure each port to help prevent unauthorized access. Depending on your selection, the device checks the MAC address or the IP address of the connected device.

In the “Configuration” frame, you set whether the port security works with MAC or with IP addresses.

Name

Meaning

MAC-Based Port Security

Check source MAC address of the received data packet.

IP-Based Port Security

IP-Based Port Security internally relies on MAC-Based Port Security.
Principle of operation:
When you configure the function, the device translates the entered source IP address into the respective MAC address. In operation, it checks the source MAC address of the received data packet against the internally stored MAC address.

Tab. Configuration of port security globally for all ports


Set the individual parameters for each port in the port table.

Name

Meaning

Module.Port

Port identification using module and port numbers of the device, e.g. 2.1 for port one of module two.

Port Status

enabled: Port is switched on and transmitting.

disabled: Port is switched off and not transmitting.

The port is switched on if
- an authorized address accesses the port
or
- an unauthorized address attempts to access the port and trapOnly or none is selected under “Action”.

The port is switched off if
- an unauthorized address attempts to access the port and portDisable is selected under “Action”.

Allowed MAC Addresses

MAC addresses of the devices with which you allow data exchange on this port.

The graphical user interface allows you to enter up to 50 MAC addresses, each separated by a space. After each MAC address you can enter a slash followed by a number identifying an address area. This number, between 2 and 47, indicates the number of relevant bits. Example:
00:80:63:01:02:00/40 stands for
00:80:63:01:02:00 to 00:80:63:01:02:FF
or
00:80:63:00:00:00/24 stands for
00:80:63:00:00:00 to 00:80:63:FF:FF:FF

If there is no entry, any number of devices can communicate via this port.

Current MAC Address

Shows the MAC address of the device from which the port last received data. The graphical user interface allows you to copy an entry from the “Current MAC Address” column into the “Allowed MAC Addresses” column by dragging and dropping with the mouse button.

Allowed IP Addresses

IP addresses of the devices with which you allow data exchange on this port.

The graphical user interface allows you to enter up to 10 IP addresses, each separated by a space.

If there is no entry, any number of devices can communicate via this port.

Action

Action performed by the device after an unauthorized access:

  • none: no action

  • trapOnly: send alarm

  • portDisable: disable the port with the corresponding entry in the port configuration table and send an alarm.

Tab. Configuration of port security for a single port

Note: This entry in the port configuration table is part of the configuration and is saved together with the configuration. See Load/Save.
Note: Prerequisites for the device to be able to send an alarm (trap): See Alarms (Traps).
Note: The IP port security operates internally on layer 2. The device internally translates an allowed IP address into an allowed MAC address when you enter the IP address. An ARP request is used for this.Prerequisites for the IP-based port security:If you have entered a router interface as the allowed IP address, all the packets sent from this interface are considered allowed, since they contain the same MAC source address.If a connected device sends packets with the allowed IP address but a different MAC address, the Switch denies this data traffic. If you replace the device with the allowed IP address with a different one having the same IP address, enter the IP address in the Switch again so that the Switch can learn the new MAC address.

Buttons

Button

Meaning

“Set”

Transfers the changes to the volatile memory (RAM) of the device. To permanently save the changes, open the Basic Settings:Load/Save dialog, select the location to save the configuration, and click “Save”.

“Reload”

Updates the fields with the values that are saved in the volatile memory (RAM) of the device.

“Wizard”

Opens the “Wizard”.

With the “Wizard” you assign the permitted MAC addresses to a port.

“Help”

Opens the online help.

Tab. Buttons


Wizard – Select Port

The “Wizard” helps you to connect the device ports with one or more desired senders.

Parameters

Meaning

“Select Port”

Defines the device port that you assign to the sender in the next step.

Tab. Wizard in the Security:Port Security dialog, “Select Port” page


Wizard – Addresses

The “Wizard” helps you to connect the device ports with one or more desired senders. When you have defined the settings, click “Finish”. To save the changes afterwards, click Set in the “Security:Port Security” dialog.

Parameters

Meaning

“Allowed MAC Addresses”

Lists the MAC Addresses allowed access to the port.

Possible values:

  • Valid Unicast MAC addresses

Click “Add” to transfer the MAC address to the “Allowed MAC Addresses” field.

“MAC Address”

Defines the MAC address allowed access to the port.

Possible values:

  • Valid Unicast MAC address

    Enter the value in one of the following formats:

    • without a separator, e.g. 001122334455

    • separated by spaces, e.g. 00 11 22 33 44 55

    • separated by colons, e.g. 00:11:22:33:44:55

    • separated by hyphens, e.g. 00-11-22-33-44-55

    • separated by points, e.g. 00.11.22.33.44.55

    • separated by points after every 4th character, e.g. 0011.2233.4455

Click “Add” to transfer the MAC address to the “Allowed MAC Addresses” field.

“Mask”

Defines number of significant digits in the MAC address range.

Possible values:

  • 1..48

Used this field to indicate the significant digits as with CIDR notation. For example, 00:11:22:33:44:00/40 indicates that the port allows devices with a MAC Address matching the first 5 groups of hexadecimal digits to access the network.

“Add”

Transfers the values specified in the “MAC Address” fields to the “Allowed MAC Addresses” field.

“Remove”

Removes the entries selected in the “Allowed MAC Addresses” field.

Tab. Wizard in the Security:Port Security dialog, “Addresses” page


Wizard – Action

This dialog defines the actions that the device performs in the event of unauthorized access to the port.

Name

Meaning

Action

Action performed by the device after an unauthorized access:

Possible values:

  • none

    The port continues to forward traffic without notification of the intrusion.

  • trapOnly

    The device sends a trap to the active management terminal.

  • portDisable

    The device disables the port with the corresponding entry in the port configuration table and sends a trap to the active management terminal.

Tab. Wizard in the Security:Port Security dialog, “Action” page

After closing the Wizard, click “Set” to save your settings.

Note: Prerequisites for the device to be able to send an alarm (trap): See Alarms (Traps).

Buttons

Button

Meaning

“Back”

Displays the previous page again. Changes are lost.

“Next”

Saves the changes and opens the next page.

“Finish”

Saves the changes and completes the configuration.

“Cancel”

Closes the Wizard. Changes are lost.

Tab. Buttons