2.6. Ensuring only known devices can use a network
Configuration of protection by the switch is via it’s
Security
tab.
With respect to the GS724Tv4 switch:
•
Actions are implemented by
rules
•
A rule can either allow an incoming network packet access or deny access to a device
•
Rules are executed in the numerical order of the order number assigned when the rule was created
until one is satisfied
•
Rules can be based either on IP address or device MAC address
•
Every rule can only perform one action
•
A rule can either IP address or MAC address directed
When security is configured on the switch, each network packet arriving at the switch is checked against
the rules. If the packet matches a rule, the action assicated with the rule is performed. If not, then the
next rule is checked. If no match is obtained, the packet is discarded by the switch.
Important to remember
: Switch based network security is device centred. A device has a MAC address
and a IP address, and it is those addresses which the switch uses to implement security. If a user can
access the device, then that user can use the security assigned to the device.
Each security rule is implemented through through an ACL (Access Control List). Each ACL is given
an action, and a name, ID, match criteria, destination and mask address when it is created. This ACL is
linked to one or more ports on the switch and the VLANs on which the port or ports reside, i.e. each
ACL is
bound
to one or ports. This binding is done after creation of the ACL.
When a ACL is applied to a port on a VLAN, that port is automaticly denied access to all other devices
connected to that VLAN. So if a port is to only access one device, the ACL should indicated the address
of that device with the action of
permit
.
The starting point with each alternative was the switch configured to provide the network shown in
Figure 2.5. The VLAN was named
VLAN-FRED
and it’s ID was set to 12. In that configuration PC1 and
PC 2 were verified to ping the NAS and printer using their IP addresses.
2.6.3
Implementation Alternative 1
The
ACL Wizard
alternative uses defaults supplied by the switch. It was invoked by using the switch
menu sequence:
Security
→
ACL
which resulted in the
ACL Wizard
screen. From the
ACL Type
pull down menu
ACL Based on
Destination MAC
was selected (this was the default on the menu). In the table titled
ACL Based
on Destination MAC
the value 2 was typed into the
Rule ID
window, from the
Action
pull down
menu
Permit
was selected, and
False
from the
Every Match
pull down menu. Then the address
d0:bf:9c:bd:4b:4d
was typed into the
Destination MAC
window and
00:00:00:00:00:00
into the
Destination MAC Mask
window. Finally the value 12 was entered into the
VLAN
window.
This had set up the ACL for accessing the printer.
Under the
Binding Configuration
part of the
ACL Wizard
screen, the
Unit 1
label was clicked.
Since the device at port 7 (PC 2) was the access the printer, the small box under port 7 was clicked,
which produced a tick mark in that box. The configuration of this ACL and assigning it to a port was
then complete, so the
ADD
button at the bottom of the screen was clicked to activate that ACL.
17
