Chapter 22: client security commands, Port security commands, Table 22-1 – Edge Products ES3528-WDM User Manual

22-1

Chapter 22: Client Security Commands

This switch supports many methods of segregating traffic for clients attached to
each of the data ports, and for ensuring that only authorized clients gain access to
the network. Private VLANs and port-based authentication using IEEE 802.1X are
commonly used for these purposes. In addition to these methods, several other
options of providing client security are supported by this switch. These include
port-based authentication, which can be configured for network client access
by specifying a fixed set of MAC addresses (either by freezing a set of dynamically
learned entries or through static configuration), or by statically configured MAC/IP
address pairs. The addresses assigned to DHCP clients can also be carefully
controlled using static or dynamic bindings with the IP Source Guard and DHCP
Snooping commands.

Port Security Commands

These commands can be used to enable port security on a port. When using port
security, the switch stops learning new MAC addresses on the specified port when it
has reached a configured maximum number. Only incoming traffic with source
addresses already stored in the dynamic or static address table for this port will be
authorized to access the network. The port will drop any incoming frames with a
source MAC address that is unknown or has been previously learned from another
port. If a device with an unauthorized MAC address attempts to use the switch port,
the intrusion will be detected and the switch can automatically take action by
disabling the port and sending a trap message.

Table 22-1 Client Security Commands

Command Group

Function

Page

Private VLANs

Configures private VLANs, including uplink and downlink ports

30-14

Port Authentication

Configures host authentication on specific ports using 802.1X

21-24

Port Security

*

* The priority of execution for these filtering commands is Port Security, IP Source Guard, and then DHCP Snooping.

Configures secure addresses for a port

22-1

IP Source Guard

*

Filters IP traffic on unsecure ports for which the source address

cannot be identified via DHCP snooping nor static source bindings

22-3

DHCP Snooping

*

Filters untrusted DHCP messages on unsecure ports by building

and maintaining a DHCP snooping binding table

22-7

Table 22-2 Port Security Commands

Command

Function

Mode

Page

port security

Configures a secure port

IC

22-2

mac-address-table static

Maps a static address to a port in a VLAN

GC

28-1

show mac-address-table

Displays entries in the bridge-forwarding database

PE

28-3