Number of Entries
Every White List stores up to 10 MAC addresses. A same MAC address can be stored in several
White Lists.
3.2.2.6.1 MAC Filter Rules
MAC Address Filtering
If ingress packet has a MAC address that is not listed in the White List the LAN interface belongs
to, this packet will be dropped. No information will be recorded and no message will be generated
by the device. It is default mode and it will be enabled automatically as soon as the MAC filtering
feature will be enabled.
MAC Address Filtering and Intruder Alarm
It is possible to enable Intruder Alarm indication on the device. If enabled, the SNMP Trap will be
generated by the device if the unlisted MAC will arrive to the port. The Trap from the same non-
listed MAC address will be generated approximately once in 3 minutes. Trap contains the
information about the Intruder MAC address.
Port Blocking and Intruder Alarm
It is possible to enable Port Blocking Mode in case if unlisted MAC has been arrived. Upon
receiving the wrong MAC the Port will go to Down State equal to ETHSD OFF X command where
X is an interface number. The Intruder Alarm Trap and Link Down Traps will be generated in this
case.
3.2.2.7 IEEE 802.1x Access Control
The IEEE 802.1x protocol nowadays commonly used in LAN environment that generally was
developed as "multipoint to multipoint" media for simple and secure point-to-point authorization.
It works on MAC level and provides Authentication and Authorization for a terminal device
connected to a port of active network equipment, i.e. Ethernet Switch or Wireless Access Point.
The IEEE 802.1x protocol divides network elements into three parts:
The Supplicant
The supplicant is a client device (laptop, PC) that supports IEEE 802.1x protocol as a client. The
supplicant is connected to the Authenticator over Ethernet or wireless link.
The Authenticator
The Authenticator is a network device like Switch or Wireless Access Point which acts as an
aggregator of user traffic in a network. It is connected to the Authentication Server and acts as an
intermediate agent between supplicant and network. Orion3/MiniFlex devices operate as
Authenticator.
The Authentication Server
The Authentication Server is, for example RADIUS server. It is responsible for security policy of
the network. Upon receiving of authentication messages from the Authenticator it grants or blocks
network access for the Supplicant.
The Supplicant is connected to the Authenticator via Ethernet patch-cord or through wireless link.
In case of Orion3/MiniFlex devices the wired access is used. If it is not allowed by the
Authentication Server, the Authenticator's port the Supplicant is connected to, stays in blocking
condition and transmits only EAPOL (Extensible Authentication Protocol Over LAN) frames.
These frames carry authentication and authorization messages and are encrypted. As soon as
Authentication Server grants network access to the Supplicant, the Authenticator changes the
port status, so all frames can pass through the port.
To Next Page
Loading...
