Secure port/static port overview
When multiple hosts connect to the same port on a device or you do not have a Dead End VLAN it can be difficult to disable individual hosts. Filtering for a particular physical or MAC address is one option for disabling a host. Options vary depending on the capabilities of the device to which these hosts are connected.
If the device supports either secure ports or static ports, you can designate a secure/static port which becomes the equivalent of a Dead End VLAN. When a host is disabled either manually or by an alarm action, a message is sent to the device indicating that this MAC address has been disabled. The MAC address is placed in a list on the device which indicates it only has permission to use the port designated as secure or static. If the host connects on any other port, it cannot access anything.
Make sure that the port designated as static or secure is not accessible. If a disabled host were to connect to that port, it would have network access.
To use this feature you must configure the following:
FortiNAC
- In the Model Configuration for the device you must enable secure ports. See Model configuration for instructions and Settings.
- When secure ports has been enabled, you must designate a port on the device as the secure or static port.
- This device must belong to the Physical Address Filtering group. This group is a default system group and should already exist. See Modify a group for instructions on adding the device to the group.
- Membership in the Physical Address Filtering group may cause VLAN switching to occur. See Modify a group.
Device
The device itself may or may not require any additional configuration.
- Alcatel: Alcatel switches do not require any special configuration in order to support Physical Address Filtering.
- 3Com, Cisco, Vertical Horizon: FortiNAC requires a secure port for each VLAN that is expected to participate in disabling hosts by physical address. Define Cisco and Vertical Horizon secure ports outside of FortiNAC through their respective command line interfaces or local management. Configure secure ports on 3Com switches by selecting Secure Port Management from the device-specific pull-down in the Inventory.
- Enterasys: Enterasys switches do not require any special configuration in order to support Physical Address Filtering.
- HP: HP switches currently do not support Physical Address Filtering.
- Nortel: Nortel switches do not require any special configuration in order to support Physical Address Filtering.
Disable Hosts
- Hosts can be disabled manually from the Host View. See Enable or disable hosts.
-
Hosts can also be disabled when an event is generated that triggers an alarm. The alarm must be configured to perform an alarm action that disables the host. For more information on alarm actions, see Add or modify alarm mapping.
If you delete a disabled host, the entry for that host's MAC address remains on the switch as disabled. Another user logging in through that host will not be able to access the switch. Be sure to enable the host before you delete it.
Example of host MAC addresses on a secure port
When the secure or static ports feature is used, the MAC addresses of disabled hosts are sent to the device. The device stores these MAC addresses in a list.
The list shown below displays all disabled hosts written to port12 (secure port) on a Cisco 2950 switch.
sw_chellis_24#show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
--------------------------------------------------------------
Fa0/12 120 3 0 Shutdown
--------------------------------------------------------------
Total Addresses in System : 3
Max Addresses limit in System : 1024
sw_chellis_24#show port-security address
Secure Mac Address Table
---------------------------------------------------------------
Vlan Mac Address Type Ports Remaining Age
(mins)
---- ----------- ---- ----- -------------
20 0004.2353.2d19 SecureConfigured Fa0/12 -
20 0009.5b83.e74c SecureConfigured Fa0/12 -
20 0009.5b89.0379 SecureConfigured Fa0/12 -
---------------------------------------------------------------
Total Addresses in System : 3
Max Addresses limit in System : 1024
Secure port management
This option is not available for all devices. If the device supports Secure Ports the option appears in the right-click menu for the device.
- Click Network > Inventory.
- Right-click on the device and click Secure Port Management.
- Click Add.
- Click the port to be set as the secure port on the device.
- Select the Group of hosts that will be given permission for this port if they are disabled.
- Click Add.
- The port and group are displayed in the Secure Port Management list.
Static port configuration
This option is not available for all devices. If the device supports Static Ports the option appears in the right-click menu for the device.
- Click Network > Inventory.
- Right-click on the device and click Static Port Configuration.
- Click the port to be set as the static port on the device.
- To Add, select Add Static Port from the drop-down menu.
- To Remove, select Remove Static Port from the drop-down menu.
- Click Apply.