MAC Address Filtering

advertisement
ETHERLINK_IV/V - MAC Filter
2
Contents
Contents .......................................................................................................................................................................2
Summary ......................................................................................................................................................................2
Acronyms and Terms ....................................................................................................................................................2
1 Background .............................................................................................................................................................2
1.1
2
MAC Address ...................................................................................................................................................3
1.2
MAC Address Filtering .................................................................................................................................4
1.3
MAC Filter Rules ..........................................................................................................................................4
Setup Examples ....................................................................................................................................................5
2.1
Adding "White" MAC address ......................................................................................................................5
2.2
Changing MACFILTER Rule............................................................................................................................7
2.3
Deleting MAC Address from the MACLIST....................................................................................................8
Summary
This document describes the MAC Filter option available for Etherlink_IV / AccessMiniLink devices
starting from the software version 1.4.38
Acronyms and Terms
Name
TDM
E1
IP
IPTV
RSTP
NMS
CLI
SNMP
GUI
Description
Time Division Multiplexing - a method to split common transmission media
between several channels
The Digital Flow according to ITU-T G.703 standard with 2048 kbps speed
Internet Protocol
IP Television
Rapid Spanning Tree Protocol according to IEEE 802.1D-2004
Network Management System
Command Line Interface
Simple Network Management Protocol
Graphical User Interface
1 Background
S-Access GmbH
Oberhausenstrasse 47
8907 Wettswil a/A
SWITZERLAND
Specification is a subject to change without notice
Tel.:
+41-44-700-3111
Email:
info@s-access.ch
Web: http//:www.s-access.ch
Document1
ETHERLINK_IV/V - MAC Filter
3
1.1 MAC Address
Unlike legacy TDM – based networks, where both transceivers use single communication channel, like E1
stream, the packet based networks, such as Ethernet, presuppose transmission media sharing between all
connected nodes. Every node may establish data connection with any other node or nodes, but only one
transmitter is allowed to send data at a time, otherwise data collisions will occur. The transmitter splits data
into packets and adds service information to the header of every packet. One of service fields stores the
destination address.
As the transmission media is common for all connected nodes, the data is distributed within broadcast
domain and all nodes receive data, b u t only the addressee will accept and process the data flow. Other
nodes will throw data packets away. Each node compares t h e own address with address inside the
actual packet flow and decides if it shall be accepted or thrown away. This address is called MAC (Media
Access Control).
Three types of MAC addresses are present in Ethernet networks:
 Unicast address: a fixed unique address of Ethernet transceiver. Every network device like PC,
server, network camera, router, etc. has MAC address “burned” into its network controller. It has 6
bytes and can´t be duplicated for any other device.
 Multicast address: if a first bit of first byte of MAC address is set to “1”, such packets can be accepted by
several nodes. IPTV, Routing protocols, RSTP messages are examples of Multicast traffic.
 Broadcast address: the destination MAC address containing FF:FF:FF:FF:FF:FF is broadcast
address. It will be accepted and processed by all devices inside the broadcast domain – an area of
network devices (PCs, switches, cameras, controllers, etc.) restricted by the router (routers) with the
exception of node that have sent the packet.
NOTE: Multicast and Broadcast addresses are virtual. It is prohibited to assign Multicast or Broadcast
addresses to any real device.
The MAC Address is usually listed on a sticker on a network device or on a computer or laptop. It may look
like xx:xx:xx:xx:xx:xx or xx-xx-xx-xx-xx-xx. Network equipment may have a record similar to xxxx.xxxx.xxxx.
Table 1-1 Discovery of MAC Address
OS / Device
PC running Microsoft© W indows™
Command and output
ipconfig /all
Linux
Physical Address: 24-BE-05-25-B7-43
Ifconfig
Etherlink_IV / AccessMiniLink
HWaddr 00:e0:4c:00:7b:94
NETCONFIG
AccessMiniLink Switch
MAC address
show fdb
Unknown device
: 00:0f:d9:05:3f:8d
000f.d905.f5bc permanent CPU
you need to connect a device and your PC to the same network and
know device IP
ping IP_of_the_device
For Microsoft© W indows™:
For Linux:
S-Access GmbH
Oberhausenstrasse 47
8907 Wettswil a/A
SWITZERLAND
Specification is a subject to change without notice
arp -a
arp -n
Tel.:
+41-44-700-3111
Email:
info@s-access.ch
Web: http//:www.s-access.ch
Document1
4
ETHERLINK_IV/V - MAC Filter
1.2 MAC Address Filtering
As every real device has own unique MAC address, it is possible to create a list of MAC addresses so the
corresponding devices will have rights to access the network while the access for other devices will be
forbidden.
S-Access Etherlink_IV / AccessMiniLink devices implement MAC Filter option on LAN interfaces, so Network
administrator can control network access as it is shown on Figure 1-1.
NO ENTRY
ACCESS ALLOWED
MAC 1
MAC 2
MAC 3
MACLIST
MAC 1
MAC 2
MAC 3
Figure 1-1 No Entry for non-listed device
The network access will be granted if device MAC is stored in MACLIST of Black Box Etherlink_IV /
AccessMiniLink, otherwise access will be disallowed.
It is possible to bind one MACLIST to every LAN interface of S-Access Etherlink_IV / AccessMiniLink device,
therefore up to 5 MACLISTs can be used. A single MAC can have instances in different MACLISTs. Every
MACLIST has up to 10 entries.
1.3 MAC Filter Rules
S-Access Etherlink_IV / AccessMiniLink software implements 3 types of reaction to the fact of intruder
access. They are: MAC Address Filtering, Mac Address Filtering and Intruder Alarm, Port Blocking and
Intruder Alarm.
MAC Address Filtering
If ingress packet has a MAC address that is not listed in the White List the LAN interface is belonging to, this
packet will be dropped. No information will be recorded and no message will be generated by the
Etherlink_IV / AccessMiniLink device. It is default mode and it will be turned on automatically as soon as the
MAC filtering feature will be enabled.
MAC Address Filtering and Intruder Alarm
It is possible to enable Intruder Alarm indication on the device. If enabled, the SNMP Trap will be generated
by the Etherlink_IV / AccessMiniLink device if the unlisted MAC will arrive to the port. The SNMP Trap
message will be sent to NMS and will contain Intruder MAC address.
Port Blocking and Intruder Alarm
It is possible to enable Port Blocking in case if unlisted MAC will arrive. Upon receiving the wrong MAC the
Port will go to Down State. The Intruder Alarm Trap and Link down Traps will be generated in this case.
Port will keep the blocked Down State even after reset of the device. Network administrators have to enable it
manually
in
CLI
with
ETHSD
command
or
in
W EB
GUI.
S-Access GmbH
Oberhausenstrasse 47
8907 Wettswil a/A
SWITZERLAND
Specification is a subject to change without notice
Tel.:
+41-44-700-3111
Email:
info@s-access.ch
Web: http//:www.s-access.ch
Document1
5
ETHERLINK_IV/V - MAC Filter
2
Setup Examples
2.1
Adding "White" MAC address
For example we will add 00-E0-4C-69-23-41 MAC address in "white" list on interface LAN1
Execute in NET Menu in CLI:
CX_07_NET>MACLIST LAN1 ADD 00-E0-4C-69-23-41
-------------------------------------------------------------------------------New MAC Filter Configuration
-------------------------------------------------------------------------------Port
LAN1
LAN2
LAN3
LAN4
LAN5
Mode OFF/FILTER
OFF/FILTER
OFF/FILTER
OFF/FILTER
OFF/FILTER
White list
1 00e04c-692341
--------2
----------3
----------4
----------5
----------6
----------7
----------8
----------9
----------10
-----------------------------------------------------------------------------------------Warning: New MAC Filter configuration is shown, because it differs from running.
To view new configuration, type 'MACLIST SHOW N'.
To view running network configuration, type 'MACLIST SHOW R'.
To apply changes in configuration, type 'APPLY'.
Do not forget to 'CONFIRM' a good working configuration.
CX_07_NET>
or in W EB
S-Access GmbH
Oberhausenstrasse 47
8907 Wettswil a/A
SWITZERLAND
Specification is a subject to change without notice
Tel.:
+41-44-700-3111
Email:
info@s-access.ch
Web: http//:www.s-access.ch
Document1
6
ETHERLINK_IV/V - MAC Filter
Enable MACFILTER option on LAN1 in CLI
CX_07_NET>MACFILTER LAN1 ON
-------------------------------------------------------------------------------New MAC Filter Configuration
-------------------------------------------------------------------------------Port
LAN1
LAN2
LAN3
LAN4
LAN5
Mode
ON/FILTER
OFF/FILTER
OFF/FILTER
OFF/FILTER
OFF/FILTER
White list
1 00e04c-692341
--------2
----------3
----------4
----------5
----------6
----------7
----------8
----------9
----------10
-----------------------------------------------------------------------------------------Warning: New MAC Filter configuration is shown, because it differs from running.
To view new configuration, type 'MACLIST SHOW N'.
To view running network configuration, type 'MACLIST SHOW R'.
To apply changes in configuration, type 'APPLY'.
Do not forget to 'CONFIRM' a good working configuration.
CX_07_NET>
or in W EB
S-Access GmbH
Oberhausenstrasse 47
8907 Wettswil a/A
SWITZERLAND
Specification is a subject to change without notice
Tel.:
+41-44-700-3111
Email:
info@s-access.ch
Web: http//:www.s-access.ch
Document1
7
ETHERLINK_IV/V - MAC Filter
2.2
Changing MACFILTER Rule
Use MACRULE [LAN1..5] [FILTER/INDICATE/BLOCK] command to change action rule for the interface
or use W EB Interface
S-Access GmbH
Oberhausenstrasse 47
8907 Wettswil a/A
SWITZERLAND
Specification is a subject to change without notice
Tel.:
+41-44-700-3111
Email:
info@s-access.ch
Web: http//:www.s-access.ch
Document1
8
ETHERLINK_IV/V - MAC Filter
2.3
Deleting MAC Address from the MACLIST
Use MACLIST [LAN1..5] DEL <address> | [number1..10] command in CLI
CX_07_NET>MACLIST LAN1 DEL 00-E0-4C-69-23-41
-------------------------------------------------------------------------------New MAC Filter Configuration
-------------------------------------------------------------------------------Port
LAN1
LAN2
LAN3
LAN4
LAN5
Mode
ON/FILTER
OFF/FILTER
OFF/FILTER
OFF/FILTER
OFF/FILTER
White list
1
----------2
----------3
----------4
----------5
----------6
----------7
----------8
----------9
----------10
-----------------------------------------------------------------------------------------Warning: New MAC Filter configuration is shown, because it differs from running.
To view new configuration, type 'MACLIST SHOW N'.
To view running network configuration, type 'MACLIST SHOW R'.
To apply changes in configuration, type 'APPLY'.
Do not forget to 'CONFIRM' a good working configuration.
CX_07_NET>
NOTE: Don't forget to APPLY changes and CONFIRM good working configuration.
S-Access GmbH
Oberhausenstrasse 47
8907 Wettswil a/A
SWITZERLAND
Specification is a subject to change without notice
Tel.:
+41-44-700-3111
Email:
info@s-access.ch
Web: http//:www.s-access.ch
Document1
Download