For IT Pros: This page contains information about how to manage port security in Iris.
On Technology Services-managed campus switches, you can choose to restrict access to a port based on the MAC address of the computer or device that plugs into the port.
In order to tell whether or not your switch is eligible, select the switch and click the Port Security tab.
If your switch is not eligible for port-level MAC address control, the Port Security Config field will say Port Security Inappropriate.
If a switch will accept port security settings, you'll have a menu box available in the Port Sec column for each eligible port.
In Iris version 5.3, port security has been expanded to include all three major manufacturers of switches on the campus network: Cisco, Foundry, and HP.
However, there are some known issues with the way that Cisco and Foundry switches report information to Iris, and therefore with the way that Iris reports changes in port security on those systems.
You can permit a selected number of MAC addresses (up to 8) when Port Security is enabled.
When you first enable Port Security for a port by changing the setting from "Off" to either "Automatic" or "Manual" MAC collection, if an unapproved MAC address is found, the default behavior is to filter the unapproved MAC addresses rather than to disable the port entirely.
Since port security settings take immediate effect, it's better to stay with the default of filtering computers until you have the list of approved MAC addresses entered. Otherwise, if you change the behavior from the "filter" default to "shutdown", the presence of any computer plugged into a Manual port would immediately disable the port since no MAC addresses would be listed as approved. (More information about the interaction of the various settings is presented later.)
After you've chosen Automatic or Manual MAC entry, the Port Security options interface looks approximately like this:
The top text field shows any entered MAC addresses and any available information about the manufacturer of the network card.
The text field is automatically sized to contain the permitted number of MAC addresses. (Note: In the case above, since 3 MAC addresses can be learned and only 2 have been entered, the text box leaves a blank line at the bottom. If you set a port to accept 8 MAC addresses but only 1 MAC has been entered, you'll have a large text box with a lot of white space. This is normal.)
The items on the line immediately below the text box control the handling of any unapproved MAC addresses.
The State part of the line indicates whether an intrusion has been detected and gives options to respond.
In the screen shot above, no intruding MAC addresses have been detected, so the state is shown as Normal.
When the action is set to Filter and an intruding MAC address is detected:
When the action is set to Disable and an intruding MAC address is detected:
Making any changes to the port security configuration in Iris will re-enable the port and check the current port traffic against the new port security definition.
In order to be able to return a port to normal functioning after an intrusion detection, any intruding computer(s) should be removed from the port and any permitted computer(s) should remain in place.
You should only use Iris to reset port security after the computer(s) have been adequately repositioned.
This is for two reasons:
1) Iris can re-detect an intrusion quickly enough that you may not be able to perceive a desired reset or re-enabling.
If you click "Enable" or "Reset" on a port that has the Intrusion notice, and the intruding computer is still present, Iris may re-detect the intruding computer and renew the Intrusion alert immediately. You may not be able to see the re-enabling since it is immediately followed by re-disabling.
To avoid this, make sure the unexpected computer is either removed from the network or given permission to access the network before resetting the port security status in Iris.
2) On Cisco switches, the permitted computer must be allowed to communicate or else Iris won't receive an acknowledgement that the situation has been corrected.
Because of the way Cisco switches report error conditions, a port
is viewed as disabled until new communication has successfully taken
place, even though the port itself has been re-enabled.
The items on the second line below the text box deal with controlling MAC addresses.
If you have chosen Automatic MAC recognition, the first item will be the Learn menu with a list of numbers up to 8. This is where you designate the number of MAC addresses permitted on this port.
If you have chosen Manual MAC entry, the first item will be a text field followed by an Add button. You can enter MAC addresses manually here and click Add to place them on the accepted list.
After the Learn or Add items, the last two buttons are Del and Clear All. Del is used to remove a specific selection of MAC addresses from the port's list, and Clear All is used to both remove all MAC addresses from the port's list and reset any state changes related to intrusion detection.
There are some "recipes" you can use for managing certain types of situations through Iris's port security features.
If you have a departmental wireless access point connected to a Port Security-eligible port, you'll probably want to disable the port security features for that port. Wireless locations can have many computers legitimately using the connection, and you probably won't want a support call after every eighth visitor.
If you have several students, staff, or faculty members sharing a common office and they may move from jack to jack around the room, you can set Iris to automatically accept MAC addresses for the number of computers that they have among them.
After a certain amount of use, you can collect the MAC addresses that have been used in that room, switch to Manual, and make sure that all of the addresses are listed for all the ports in the room, even if a computer hasn't moved there yet.
Filtering allows you to ensure that only the permitted computers will have access to the room's network capabilities, without automatically disabling ports every time a visitor tries to plug in a laptop.
If you have dozens of computers in a lab and don't wish to type them all in manually, you can boot the computers, set each port to automatically accept the MAC address of the lab computer plugged into that port, and wait about 5-10 minutes to make sure that all of the computers have been detected.
The Disable setting will turn off the network for any computer connected to that port when the approved computer is unplugged and another computer is plugged in to that port. If anyone changes which computers are plugged into which ports or attempts to plug their own computer in, the affected port will be disabled for all computers -- even one that's returned to its correct port -- until you either correct the cabling or reassign MAC addresses and reset the port.
If you'd rather let approved computers keep working once they are reconnected to the right port, and prefer to block only intruders or computers that remain connected to the wrong port, use the Filter setting.