ETHERLINK_IV/V - MAC Filter 2 Contents Contents .......................................................................................................................................................................2 Summary ......................................................................................................................................................................2 Acronyms and Terms ....................................................................................................................................................2 1 Background .............................................................................................................................................................2 1.1 2 MAC Address ...................................................................................................................................................3 1.2 MAC Address Filtering .................................................................................................................................4 1.3 MAC Filter Rules ..........................................................................................................................................4 Setup Examples ....................................................................................................................................................5 2.1 Adding "White" MAC address ......................................................................................................................5 2.2 Changing MACFILTER Rule............................................................................................................................7 2.3 Deleting MAC Address from the MACLIST....................................................................................................8 Summary This document describes the MAC Filter option available for Etherlink_IV / AccessMiniLink devices starting from the software version 1.4.38 Acronyms and Terms Name TDM E1 IP IPTV RSTP NMS CLI SNMP GUI Description Time Division Multiplexing - a method to split common transmission media between several channels The Digital Flow according to ITU-T G.703 standard with 2048 kbps speed Internet Protocol IP Television Rapid Spanning Tree Protocol according to IEEE 802.1D-2004 Network Management System Command Line Interface Simple Network Management Protocol Graphical User Interface 1 Background S-Access GmbH Oberhausenstrasse 47 8907 Wettswil a/A SWITZERLAND Specification is a subject to change without notice Tel.: +41-44-700-3111 Email: info@s-access.ch Web: http//:www.s-access.ch Document1 ETHERLINK_IV/V - MAC Filter 3 1.1 MAC Address Unlike legacy TDM – based networks, where both transceivers use single communication channel, like E1 stream, the packet based networks, such as Ethernet, presuppose transmission media sharing between all connected nodes. Every node may establish data connection with any other node or nodes, but only one transmitter is allowed to send data at a time, otherwise data collisions will occur. The transmitter splits data into packets and adds service information to the header of every packet. One of service fields stores the destination address. As the transmission media is common for all connected nodes, the data is distributed within broadcast domain and all nodes receive data, b u t only the addressee will accept and process the data flow. Other nodes will throw data packets away. Each node compares t h e own address with address inside the actual packet flow and decides if it shall be accepted or thrown away. This address is called MAC (Media Access Control). Three types of MAC addresses are present in Ethernet networks: Unicast address: a fixed unique address of Ethernet transceiver. Every network device like PC, server, network camera, router, etc. has MAC address “burned” into its network controller. It has 6 bytes and can´t be duplicated for any other device. Multicast address: if a first bit of first byte of MAC address is set to “1”, such packets can be accepted by several nodes. IPTV, Routing protocols, RSTP messages are examples of Multicast traffic. Broadcast address: the destination MAC address containing FF:FF:FF:FF:FF:FF is broadcast address. It will be accepted and processed by all devices inside the broadcast domain – an area of network devices (PCs, switches, cameras, controllers, etc.) restricted by the router (routers) with the exception of node that have sent the packet. NOTE: Multicast and Broadcast addresses are virtual. It is prohibited to assign Multicast or Broadcast addresses to any real device. The MAC Address is usually listed on a sticker on a network device or on a computer or laptop. It may look like xx:xx:xx:xx:xx:xx or xx-xx-xx-xx-xx-xx. Network equipment may have a record similar to xxxx.xxxx.xxxx. Table 1-1 Discovery of MAC Address OS / Device PC running Microsoft© W indows™ Command and output ipconfig /all Linux Physical Address: 24-BE-05-25-B7-43 Ifconfig Etherlink_IV / AccessMiniLink HWaddr 00:e0:4c:00:7b:94 NETCONFIG AccessMiniLink Switch MAC address show fdb Unknown device : 00:0f:d9:05:3f:8d 000f.d905.f5bc permanent CPU you need to connect a device and your PC to the same network and know device IP ping IP_of_the_device For Microsoft© W indows™: For Linux: S-Access GmbH Oberhausenstrasse 47 8907 Wettswil a/A SWITZERLAND Specification is a subject to change without notice arp -a arp -n Tel.: +41-44-700-3111 Email: info@s-access.ch Web: http//:www.s-access.ch Document1 4 ETHERLINK_IV/V - MAC Filter 1.2 MAC Address Filtering As every real device has own unique MAC address, it is possible to create a list of MAC addresses so the corresponding devices will have rights to access the network while the access for other devices will be forbidden. S-Access Etherlink_IV / AccessMiniLink devices implement MAC Filter option on LAN interfaces, so Network administrator can control network access as it is shown on Figure 1-1. NO ENTRY ACCESS ALLOWED MAC 1 MAC 2 MAC 3 MACLIST MAC 1 MAC 2 MAC 3 Figure 1-1 No Entry for non-listed device The network access will be granted if device MAC is stored in MACLIST of Black Box Etherlink_IV / AccessMiniLink, otherwise access will be disallowed. It is possible to bind one MACLIST to every LAN interface of S-Access Etherlink_IV / AccessMiniLink device, therefore up to 5 MACLISTs can be used. A single MAC can have instances in different MACLISTs. Every MACLIST has up to 10 entries. 1.3 MAC Filter Rules S-Access Etherlink_IV / AccessMiniLink software implements 3 types of reaction to the fact of intruder access. They are: MAC Address Filtering, Mac Address Filtering and Intruder Alarm, Port Blocking and Intruder Alarm. MAC Address Filtering If ingress packet has a MAC address that is not listed in the White List the LAN interface is belonging to, this packet will be dropped. No information will be recorded and no message will be generated by the Etherlink_IV / AccessMiniLink device. It is default mode and it will be turned on automatically as soon as the MAC filtering feature will be enabled. MAC Address Filtering and Intruder Alarm It is possible to enable Intruder Alarm indication on the device. If enabled, the SNMP Trap will be generated by the Etherlink_IV / AccessMiniLink device if the unlisted MAC will arrive to the port. The SNMP Trap message will be sent to NMS and will contain Intruder MAC address. Port Blocking and Intruder Alarm It is possible to enable Port Blocking in case if unlisted MAC will arrive. Upon receiving the wrong MAC the Port will go to Down State. The Intruder Alarm Trap and Link down Traps will be generated in this case. Port will keep the blocked Down State even after reset of the device. Network administrators have to enable it manually in CLI with ETHSD command or in W EB GUI. S-Access GmbH Oberhausenstrasse 47 8907 Wettswil a/A SWITZERLAND Specification is a subject to change without notice Tel.: +41-44-700-3111 Email: info@s-access.ch Web: http//:www.s-access.ch Document1 5 ETHERLINK_IV/V - MAC Filter 2 Setup Examples 2.1 Adding "White" MAC address For example we will add 00-E0-4C-69-23-41 MAC address in "white" list on interface LAN1 Execute in NET Menu in CLI: CX_07_NET>MACLIST LAN1 ADD 00-E0-4C-69-23-41 -------------------------------------------------------------------------------New MAC Filter Configuration -------------------------------------------------------------------------------Port LAN1 LAN2 LAN3 LAN4 LAN5 Mode OFF/FILTER OFF/FILTER OFF/FILTER OFF/FILTER OFF/FILTER White list 1 00e04c-692341 --------2 ----------3 ----------4 ----------5 ----------6 ----------7 ----------8 ----------9 ----------10 -----------------------------------------------------------------------------------------Warning: New MAC Filter configuration is shown, because it differs from running. To view new configuration, type 'MACLIST SHOW N'. To view running network configuration, type 'MACLIST SHOW R'. To apply changes in configuration, type 'APPLY'. Do not forget to 'CONFIRM' a good working configuration. CX_07_NET> or in W EB S-Access GmbH Oberhausenstrasse 47 8907 Wettswil a/A SWITZERLAND Specification is a subject to change without notice Tel.: +41-44-700-3111 Email: info@s-access.ch Web: http//:www.s-access.ch Document1 6 ETHERLINK_IV/V - MAC Filter Enable MACFILTER option on LAN1 in CLI CX_07_NET>MACFILTER LAN1 ON -------------------------------------------------------------------------------New MAC Filter Configuration -------------------------------------------------------------------------------Port LAN1 LAN2 LAN3 LAN4 LAN5 Mode ON/FILTER OFF/FILTER OFF/FILTER OFF/FILTER OFF/FILTER White list 1 00e04c-692341 --------2 ----------3 ----------4 ----------5 ----------6 ----------7 ----------8 ----------9 ----------10 -----------------------------------------------------------------------------------------Warning: New MAC Filter configuration is shown, because it differs from running. To view new configuration, type 'MACLIST SHOW N'. To view running network configuration, type 'MACLIST SHOW R'. To apply changes in configuration, type 'APPLY'. Do not forget to 'CONFIRM' a good working configuration. CX_07_NET> or in W EB S-Access GmbH Oberhausenstrasse 47 8907 Wettswil a/A SWITZERLAND Specification is a subject to change without notice Tel.: +41-44-700-3111 Email: info@s-access.ch Web: http//:www.s-access.ch Document1 7 ETHERLINK_IV/V - MAC Filter 2.2 Changing MACFILTER Rule Use MACRULE [LAN1..5] [FILTER/INDICATE/BLOCK] command to change action rule for the interface or use W EB Interface S-Access GmbH Oberhausenstrasse 47 8907 Wettswil a/A SWITZERLAND Specification is a subject to change without notice Tel.: +41-44-700-3111 Email: info@s-access.ch Web: http//:www.s-access.ch Document1 8 ETHERLINK_IV/V - MAC Filter 2.3 Deleting MAC Address from the MACLIST Use MACLIST [LAN1..5] DEL <address> | [number1..10] command in CLI CX_07_NET>MACLIST LAN1 DEL 00-E0-4C-69-23-41 -------------------------------------------------------------------------------New MAC Filter Configuration -------------------------------------------------------------------------------Port LAN1 LAN2 LAN3 LAN4 LAN5 Mode ON/FILTER OFF/FILTER OFF/FILTER OFF/FILTER OFF/FILTER White list 1 ----------2 ----------3 ----------4 ----------5 ----------6 ----------7 ----------8 ----------9 ----------10 -----------------------------------------------------------------------------------------Warning: New MAC Filter configuration is shown, because it differs from running. To view new configuration, type 'MACLIST SHOW N'. To view running network configuration, type 'MACLIST SHOW R'. To apply changes in configuration, type 'APPLY'. Do not forget to 'CONFIRM' a good working configuration. CX_07_NET> NOTE: Don't forget to APPLY changes and CONFIRM good working configuration. S-Access GmbH Oberhausenstrasse 47 8907 Wettswil a/A SWITZERLAND Specification is a subject to change without notice Tel.: +41-44-700-3111 Email: info@s-access.ch Web: http//:www.s-access.ch Document1