Fortinet white logo
Fortinet white logo

Administration Guide

7.2.0

Secure port/static port overview

Secure port/static port overview

When multiple hosts connect to the same port on a device or you do not have a Dead End VLAN it can be difficult to disable individual hosts. Filtering for a particular physical or MAC address is one option for disabling a host. Options vary depending on the capabilities of the device to which these hosts are connected.

If the device supports either secure ports or static ports, you can designate a secure/static port which becomes the equivalent of a Dead End VLAN. When a host is disabled either manually or by an alarm action, a message is sent to the device indicating that this MAC address has been disabled. The MAC address is placed in a list on the device which indicates it only has permission to use the port designated as secure or static. If the host connects on any other port, it cannot access anything.

Make sure that the port designated as static or secure is not accessible. If a disabled host were to connect to that port, it would have network access.

To use this feature you must configure the following:

FortiNAC
  • In the Model Configuration for the device you must enable secure ports. See Model configuration for instructions and Settings.
  • When secure ports has been enabled, you must designate a port on the device as the secure or static port.
  • This device must belong to the Physical Address Filtering group. This group is a default system group and should already exist. See Modify a group for instructions on adding the device to the group.
  • Membership in the Physical Address Filtering group may cause VLAN switching to occur. See Modify a group.
Device

The device itself may or may not require any additional configuration.

  • Alcatel: Alcatel switches do not require any special configuration in order to support Physical Address Filtering.
  • 3Com, Cisco, Vertical Horizon: FortiNAC requires a secure port for each VLAN that is expected to participate in disabling hosts by physical address. Define Cisco and Vertical Horizon secure ports outside of FortiNAC through their respective command line interfaces or local management. Configure secure ports on 3Com switches by selecting Secure Port Management from the device-specific pull-down in the Inventory.
  • Enterasys: Enterasys switches do not require any special configuration in order to support Physical Address Filtering.
  • HP: HP switches currently do not support Physical Address Filtering.
  • Nortel: Nortel switches do not require any special configuration in order to support Physical Address Filtering.
Disable Hosts
  • Hosts can be disabled manually from the Host View. See Enable or disable hosts.
  • Hosts can also be disabled when an event is generated that triggers an alarm. The alarm must be configured to perform an alarm action that disables the host. For more information on alarm actions, see Add or modify alarm mapping.

    Note

    If you delete a disabled host, the entry for that host's MAC address remains on the switch as disabled. Another user logging in through that host will not be able to access the switch. Be sure to enable the host before you delete it.

Example of host MAC addresses on a secure port

When the secure or static ports feature is used, the MAC addresses of disabled hosts are sent to the device. The device stores these MAC addresses in a list.

The list shown below displays all disabled hosts written to port12 (secure port) on a Cisco 2950 switch.

sw_chellis_24#show port-security
Secure Port      MaxSecureAddr  CurrentAddr  SecurityViolation Security Action
(Count)        (Count)      (Count)
--------------------------------------------------------------
Fa0/12          120             3             0              Shutdown
--------------------------------------------------------------
Total Addresses in System : 3
Max Addresses limit in System : 1024
 
sw_chellis_24#show port-security address
Secure Mac Address Table
---------------------------------------------------------------
Vlan    Mac Address       Type                Ports   Remaining Age
(mins)
----    -----------       ----                -----   -------------
20    0004.2353.2d19    SecureConfigured    Fa0/12      -
20    0009.5b83.e74c    SecureConfigured    Fa0/12      -
20    0009.5b89.0379    SecureConfigured    Fa0/12      -
---------------------------------------------------------------
Total Addresses in System : 3
Max Addresses limit in System : 1024
Secure port management

This option is not available for all devices. If the device supports Secure Ports the option appears in the right-click menu for the device.

  1. Click Network > Inventory.
  2. Right-click on the device and click Secure Port Management.
  3. Click Add.
  4. Click the port to be set as the secure port on the device.
  5. Select the Group of hosts that will be given permission for this port if they are disabled.
  6. Click Add.
  7. The port and group are displayed in the Secure Port Management list.
Static port configuration

This option is not available for all devices. If the device supports Static Ports the option appears in the right-click menu for the device.

  1. Click Network > Inventory.
  2. Right-click on the device and click Static Port Configuration.
  3. Click the port to be set as the static port on the device.
  4. To Add, select Add Static Port from the drop-down menu.
  5. To Remove, select Remove Static Port from the drop-down menu.
  6. Click Apply.

Secure port/static port overview

Secure port/static port overview

When multiple hosts connect to the same port on a device or you do not have a Dead End VLAN it can be difficult to disable individual hosts. Filtering for a particular physical or MAC address is one option for disabling a host. Options vary depending on the capabilities of the device to which these hosts are connected.

If the device supports either secure ports or static ports, you can designate a secure/static port which becomes the equivalent of a Dead End VLAN. When a host is disabled either manually or by an alarm action, a message is sent to the device indicating that this MAC address has been disabled. The MAC address is placed in a list on the device which indicates it only has permission to use the port designated as secure or static. If the host connects on any other port, it cannot access anything.

Make sure that the port designated as static or secure is not accessible. If a disabled host were to connect to that port, it would have network access.

To use this feature you must configure the following:

FortiNAC
  • In the Model Configuration for the device you must enable secure ports. See Model configuration for instructions and Settings.
  • When secure ports has been enabled, you must designate a port on the device as the secure or static port.
  • This device must belong to the Physical Address Filtering group. This group is a default system group and should already exist. See Modify a group for instructions on adding the device to the group.
  • Membership in the Physical Address Filtering group may cause VLAN switching to occur. See Modify a group.
Device

The device itself may or may not require any additional configuration.

  • Alcatel: Alcatel switches do not require any special configuration in order to support Physical Address Filtering.
  • 3Com, Cisco, Vertical Horizon: FortiNAC requires a secure port for each VLAN that is expected to participate in disabling hosts by physical address. Define Cisco and Vertical Horizon secure ports outside of FortiNAC through their respective command line interfaces or local management. Configure secure ports on 3Com switches by selecting Secure Port Management from the device-specific pull-down in the Inventory.
  • Enterasys: Enterasys switches do not require any special configuration in order to support Physical Address Filtering.
  • HP: HP switches currently do not support Physical Address Filtering.
  • Nortel: Nortel switches do not require any special configuration in order to support Physical Address Filtering.
Disable Hosts
  • Hosts can be disabled manually from the Host View. See Enable or disable hosts.
  • Hosts can also be disabled when an event is generated that triggers an alarm. The alarm must be configured to perform an alarm action that disables the host. For more information on alarm actions, see Add or modify alarm mapping.

    Note

    If you delete a disabled host, the entry for that host's MAC address remains on the switch as disabled. Another user logging in through that host will not be able to access the switch. Be sure to enable the host before you delete it.

Example of host MAC addresses on a secure port

When the secure or static ports feature is used, the MAC addresses of disabled hosts are sent to the device. The device stores these MAC addresses in a list.

The list shown below displays all disabled hosts written to port12 (secure port) on a Cisco 2950 switch.

sw_chellis_24#show port-security
Secure Port      MaxSecureAddr  CurrentAddr  SecurityViolation Security Action
(Count)        (Count)      (Count)
--------------------------------------------------------------
Fa0/12          120             3             0              Shutdown
--------------------------------------------------------------
Total Addresses in System : 3
Max Addresses limit in System : 1024
 
sw_chellis_24#show port-security address
Secure Mac Address Table
---------------------------------------------------------------
Vlan    Mac Address       Type                Ports   Remaining Age
(mins)
----    -----------       ----                -----   -------------
20    0004.2353.2d19    SecureConfigured    Fa0/12      -
20    0009.5b83.e74c    SecureConfigured    Fa0/12      -
20    0009.5b89.0379    SecureConfigured    Fa0/12      -
---------------------------------------------------------------
Total Addresses in System : 3
Max Addresses limit in System : 1024
Secure port management

This option is not available for all devices. If the device supports Secure Ports the option appears in the right-click menu for the device.

  1. Click Network > Inventory.
  2. Right-click on the device and click Secure Port Management.
  3. Click Add.
  4. Click the port to be set as the secure port on the device.
  5. Select the Group of hosts that will be given permission for this port if they are disabled.
  6. Click Add.
  7. The port and group are displayed in the Secure Port Management list.
Static port configuration

This option is not available for all devices. If the device supports Static Ports the option appears in the right-click menu for the device.

  1. Click Network > Inventory.
  2. Right-click on the device and click Static Port Configuration.
  3. Click the port to be set as the static port on the device.
  4. To Add, select Add Static Port from the drop-down menu.
  5. To Remove, select Remove Static Port from the drop-down menu.
  6. Click Apply.