Network Element-Level Management Help >> Device Basic Information >> Port Security Management

Port Security Management

Operation Procedure

1. Select the Resource tab.
2. Select the device to be managed from the device list to enter the Device Details page.
3. Click Port Security Management in the Device Management list.

Parameter Description

Global Security Parameters Information

• Global Control Status:It can be Enabled or Disabled, indicating the port security attribute is enabled or disabled respectively. If the port security attribute is enabled, various security configurations are checked and loaded. If the port security attribute is disabled, various security configurations are set to default values and the port remains its normal status. You can still configure various attributes, but the configuration does not take effect.
• Ralm Hold Off Time:It indicates the interval between two MAC address authentications. It is in the range of 1 second to1,000,000 seconds. The default value is 60 seconds.
• Ralm Authenticate Mode:It indicates the MAC address authentication mode, being PapUsernameAsMacAddress or PapUsernameFixed. If PapUsernameAsMacAddress is adopted, the username and password used for authentication are both mac-address. If PapUsernameFixed is adopted, the username and password used for authentication depends on Ralm Authenticate User Name and Ralm Authenticate Password. The mac-address is carried in the calling-station-id attribute of the radius packets.
• Ralm Authenticate User Name:It is a character string of no more than 80 characters. If the Ralm Authenticate Mode is set to PapUsernameFixed, it indicates a fixed username is used for authentication.
• Ralm Authenticate Password:It is a character string of no more than 16 characters. If Ralm Authenticate Mode is set to PapUsernameFixed, it indicates a fixed password is used for authentication.
• Ralm Authenticate Domain:This specifies the domain of all MAC-authentication users. It is a character string of no more than 24 characters.
• Ralm Offline Time:This attribute configures the timer interval of offline-detect. The default time is 300 seconds. It is in the range of 1 to 65535 seconds.
• Server Timeout Time:This attribute configures the timer interval of server-timeout. The default time is 100 seconds. It is in the range of 1 to 65535 seconds.
• Global MAC Authentication:This attribute controls the system wide operation of mac-authentication. The system-wide mac-authentication options become non-operational when this attribute is set to disabled.

Port Security Address Information

• 1.Port Security Mode
• It indicates the security mode of the port. The values and their descriptions are as follows:
• NoRestrictions:Indicates the security and learning functions of the port are disabled.
• ContinuousLearning:Indicates the port can learn MAC addresses. This attribute is not supported currently.
• AutoLearn:Indicates the port changes into the secure status after it learns a certain number of MAC addresses.
• Secure:Indicates the MAC address learning is disabled.
• UserLogin:Indicates that a packet must pass the 802.1x authentication before it can pass the port. Once the authentication succeeds, the port is enabled, and hereafter the packets with any MAC addresses can pass the port.
• UserLoginSecure:Indicates that a packet must pass the 802.1x authentication before it can pass the port. After the authentication succeeds, the port is enabled, but hereafter the packets still need to pass the authentication before they can pass the port. Only one user passing the authentication can pass the port at a time.
• UserLoginWithOUI:Similar to userLoginSecure. However, besides one packet that passes the 802.1x authentication can pass the port, another packet with an MAC address that matches OUI can also pass the port if it passes the 802.1x authentication at a time.
• MacAddressWithRadius:Equivalent to the MAC address authentication.
• MacAddressOrUserLoginSecure:Indicates the macAddressWithRadius authentication can exist together with the 802.1x authentication. The priority of the latter is higher than that of the macAddressWithRadius authentication.
• MacAddressElseUserLoginSecure:Indicates to perform macAddressWithRadius authentication first. If it fails, the 802.1x authentication is used. If it succeeds, the 802.1x authentication is not used.
• userLoginSecureExt:In this mode, a port performs 802.1X authentication of users in macbased mode and supports multiple 802.1X users.
• MacAddressOrUserLoginSecureExt:This mode is similar to the macAddressOrUserLoginSecure mode, except that it supports multiple 802.1X and MAC authentication users on the port.
• MacAddressElseUserLoginSecureExt:This mode is similar to the macAddressElseUserLoginSecure mode, except that it supports multiple 802.1X and MAC authentication users on the port.
• Take 5500 for example. The 802.1x authentication supports multiple users on one port. Therefore, the following extended attributes are available: UserLoginSecureExt, MacAddressOrUserLoginSecureExt and MacAddressElseUserLoginSecureExt.In case a large number of users are online after successful authentications, you need to cut these users to change the status of the port. The status of the port can be changed only when all users are cut. This may take a relatively long time. So, you need to change the current status of the port to NoRestrictions when changing the security status of the port. After changing the status of the port succeeds, you can configure the status of the port to other values.
• 2.Need to Know Mode
• NotAvailable:Indicates that the lower layer does not support this feature.
• Disabled:Indicates that the feature is disabled although the lower layer supports this feature.
• NeedToKnowOnly:Indicates only the packets with the authenticated MAC addresses can be sent from the port successfully.
• NeedToKnowWithBroadcastsAllowed:Similar to the NeedToKnowOnly. Meanwhile, the broadcast packets can also be sent successfully.
• NeedToKnowWithMulticastsAllowed:Similar to needToKnowOnly. Meanwhile, the broadcast and multicast packets can also be sent successfully.
• NotAvailablePermanentNeedToKnowOnly:Similar to needToKnowOnly. It is controlled by the lower layer hardware, and cannot be configured or modified by users.
• PermanentNeedToKnowWithBroadcastsAllowed:Similar to needToKnowWithBroadcastsAllowed. It is controlled by the lower layer hardware, and cannot be configured and modified by users.
• PermanentNeedToKnowWithMulticastsAllowed:Similar to needToKnowWithMulticastsAllowed. It is controlled by the lower layer hardware, and cannot be configured and modified by users.


• 3.Action Mode
• The port can take the following actions when it checks that the original MAC addresses of the packets are not authenticated:
• NotAvailable:Indicates the device does not support this function.
• NoAction:Indicates the lower layer supports this feature. But this function is not enabled and only trap messages are sent.
• DisablePort:Indicate to disable the port and send trap messages when the intrusion of some illegal packets is detected.
• DisablePortTemporarily:Indicates the port is enabled 20 seconds after it is disabled due to some detected illegal packets and trap messages are sent.
• allowDefaultAccess:Indicates allowing default access.
• BlockMacAddress:Indicates to filter the packets with this MAC address and send trap messages. 4400 and 4200 does not support this function.


• 4.Max Learnable Addresses
• The maximum number of MAC addresses that can be learned and stored by the port.The number defined currently does not include the static addresses configured manually by the administrator. The static addresses configured manually by the administrator are not restricted by this number.


• 5.Current Stored Address
• The number of MAC addresses learned and stored by the current port. The MAC addresses do not include the static addresses configured manually by the administrator. Besides, the static addresses configured manually by the administrator are not restricted by this number.Take 5500 for example. The number is related to the status of the port as follows:
• If the status of the port is NoRestrictions, no statistics is made.
• If the status of the port is AutoLearn or Secure, the number indicates the number of addresses learned currently by the port, excluding the number of static addresses configured manually by users.
• If the status of the port is UserLogin or UserLoginSecure, the number indicates the number of MAC addresses that pass the authentication. Its maximum value is 1.
• If the status of the port is UserLoginWithOUI, the number indicates only the number of MAC addresses that pass the 802.1x authentication. Its maximum value is 1.
• If the status of the port is MacAddressWithRadius, MacAddressOrUserLoginSecure, MacAddressElseUserLoginSecure, UserLoginSecureExt, MacAddressOrUserLoginSecureExt or MacAddressElseUserLoginSecureExt, the number indicates the number of MAC addresses that pass the authentication which includes the MAC authentication and the 802.1x authentication.


• 6.Max Available Number
• The largest value that can be set for the Max Learnable Addresses. By default, it is configured the maximum MAC addresses supported by the system.Click Modify , and you can re-configure the parameters of this port such as Port Security Mode, Need to Know Mode, Action Mode and Max Learnable Addresses.

OUI Information

• Port Security Address Information stores the value of the Organizationally Unique Identifier (OUI).

Port Assign Information

• The [Port Asign Information] tab displays the information of thePort Asign parameters.Click Modify, and then you can configure parameters in the [Configuring Global Parameters] dialog box that appears.

Precautions

Some devices such as 3Com Superstack 3 Switch 4400 and 4200 only support Port Security Parameters Information.