1

Has anybody here has in use the Netgear GS752TXS (52 Port Stackable Smart Switch with 10GE uplink) with port security active?

I would like to activate port security on specific ports to allow only one specific device (MAC) on this port. That´s what I understand from "port security" here and should be possible with this device - according to the documentation.

If I activate port security, I have to options: lock down the number of dynamically learned addresses - or the number of statically learned adresses. Lock dynamically learned makes nearly no sense. It´s possible to prevent somebody to plug in a switch in between - buts thats it. The problem with dynamically learned adressing is that all dynamic entries are aging (default 300s - then they are renewed or lost) AND if you plug in a device into another port, the entry is also updated to the other port and the entry of the old port is lost. So limiting the dynamic entries on a specific port to "1" does not help here. Since if somebody plugs in his device in another port the "locked" port is free for reassignment :-(

The problem with "static assignment": If you assign a MAC address to the port statically, it works in first line.... the port won´t accept another MAC/device....

BUT the device also cannot be plugged in into another port! It´s limited to this specific port. That´s not what I exactly want... :-(

I really would like to have ports to accept just specific MACs and some ports to support multiple ports (like meeting rooms etc).

Does anybody know if thats possible with this device?

Another good thing would be the possibility to specify a list of allowed MAC addresses all over the switch and block all other.... but I don´t think this is possible....

cljk
  • 225
  • 1
  • 10

1 Answers1

1

I went through the Netgear GS752TXS Software Administration Manual and what you are looking for is on pages 220-223.

You said you want "to activate port security on specific ports to allow only one specific device (MAC) on this port."

Specifically the steps to do this are provided on page 221.

  1. Click Security
  2. Click Traffic Control
  3. Click Port Security
  4. Click Port Security Configuration
  5. Select Enable
  6. Click Apply
  7. Click Interface Configuration
  8. Select the ports you want to enable port security on
  9. Select Enable in the Port Security field
  10. Set Max Allowed Dynamically Learned MAC to 0 (according to the manual this effectively disables dynamically learning MAC addresses)
  11. Set Max Allowed Statically Locked Mac to the number of MAC addresses that will be connected to this port.
  12. Set Enable Violation Traps to Yes

I need to stop and emphasize a point here. If you are plugging an unmanaged switch into a port that you are using port security on (not recommended) then you need to allow the MAC address of each device that will be connected to that unmanaged switch.

You will need to specify which MAC addresses are permitted for each port that you are enabling port security on.

If you have a computer that is running a VM and the VM is configured to connect to the network via bridged mode, then you must also include the MAC of the VM in your port security configuration on the physical port that the host is connected to. If you do not port security will shutdown traffic to both MACs on that port.

user5870571
  • 2,900
  • 2
  • 11
  • 33
  • This is what I did as written. But then the device statically enabled on a specific port cannot be plugged into another port because the MAC is written into the static ARP routing table. I think there is no solution... – cljk Mar 07 '16 at 07:20
  • That is what it is supposed to do. – user5870571 Mar 07 '16 at 11:53
  • No, what it is supposed to do in my view is to lock down the one port to one MAC address... but allow the MAC address to also connect to other ports.... otherwise its useless for me and works different on Cisco switches f.e. – cljk Mar 07 '16 at 13:01
  • Unfortunately that is not how port security often works. The idea is not only does it tie a MAC to a port but it keeps the user of that MAC from changing what port they are plugged into thereby circumventing whatever you put in place that required their MAC address being associated with a specific port. Different brands implement port security differently but from my understanding of the Netgear documentation this is the intended behavior. – user5870571 Mar 07 '16 at 13:05
  • I do see that what you are describing should work on Cisco devices because what you are saying is using a secure MAC on a non secure port. That appears to work on Cisco devices but it may not on netgear. If that is what you are trying to do I would ask what are you trying to accomplish? Why do you need to be able to move a secure MAC from a secure port to a non secure port? – user5870571 Mar 07 '16 at 16:54
  • I want to lock down our network to specific MACs at all - one idea was to lock down each user port to their specific device - but allow them to use their devices also in meeting rooms. Since this won´t work as expected I´ll give 802.1X a try.... never done that before but seems to be quiet easy since we already have a radius server. – cljk Mar 09 '16 at 08:44
  • Have you considered using ACLs by MAC instead of port security? Your Netgear switch supports that. – user5870571 Mar 09 '16 at 11:21