Security – Port Security / MAC lock with Netgear GS752TXS

netgearphysical-securityportSecurityswitch

Has anybody here has in use the Netgear GS752TXS (52 Port Stackable Smart Switch with 10GE uplink) with port security active?

I would like to activate port security on specific ports to allow only one specific device (MAC) on this port. That´s what I understand from "port security" here and should be possible with this device – according to the documentation.

If I activate port security, I have to options: lock down the number of dynamically learned addresses – or the number of statically learned adresses.
Lock dynamically learned makes nearly no sense. It´s possible to prevent somebody to plug in a switch in between – buts thats it. The problem with dynamically learned adressing is that all dynamic entries are aging (default 300s – then they are renewed or lost) AND if you plug in a device into another port, the entry is also updated to the other port and the entry of the old port is lost. So limiting the dynamic entries on a specific port to "1" does not help here. Since if somebody plugs in his device in another port the "locked" port is free for reassignment 🙁

The problem with "static assignment": If you assign a MAC address to the port statically, it works in first line…. the port won´t accept another MAC/device….

BUT the device also cannot be plugged in into another port! It´s limited to this specific port. That´s not what I exactly want… 🙁

I really would like to have ports to accept just specific MACs and some ports to support multiple ports (like meeting rooms etc).

Does anybody know if thats possible with this device?

Another good thing would be the possibility to specify a list of allowed MAC addresses all over the switch and block all other…. but I don´t think this is possible….

Best Answer

I went through the Netgear GS752TXS Software Administration Manual and what you are looking for is on pages 220-223.

You said you want "to activate port security on specific ports to allow only one specific device (MAC) on this port."

Specifically the steps to do this are provided on page 221.

  1. Click Security
  2. Click Traffic Control
  3. Click Port Security
  4. Click Port Security Configuration
  5. Select Enable
  6. Click Apply
  7. Click Interface Configuration
  8. Select the ports you want to enable port security on
  9. Select Enable in the Port Security field
  10. Set Max Allowed Dynamically Learned MAC to 0 (according to the manual this effectively disables dynamically learning MAC addresses)
  11. Set Max Allowed Statically Locked Mac to the number of MAC addresses that will be connected to this port.
  12. Set Enable Violation Traps to Yes

I need to stop and emphasize a point here. If you are plugging an unmanaged switch into a port that you are using port security on (not recommended) then you need to allow the MAC address of each device that will be connected to that unmanaged switch.

You will need to specify which MAC addresses are permitted for each port that you are enabling port security on.

If you have a computer that is running a VM and the VM is configured to connect to the network via bridged mode, then you must also include the MAC of the VM in your port security configuration on the physical port that the host is connected to. If you do not port security will shutdown traffic to both MACs on that port.

Related Topic