mac-filtering on switch

hexos

Alfonso said:

+1 for Mac filtering and port security on Nebula switches.

+2 !

SkyGoat

Nebula Control Center v15.1 was released today. The 3rd item of the patch notes for switches looks promising.


There is now a new menu option in Switches > Authentication

Not sure how this is supposed to work.
I can choose "Nebula cloud authentication" from the drop down menu and fill in the Authentication policy settings.  The "Authentication ports" column "0" is clickable, which links to the Switch Ports page with a "(policy=Test)" search filter applied.  No ports with this policy are found, so I guess I have to enable the policy on each port, but cannot see a way to do so.
 

The model list page lists only the XGS1930 range...


...as does the device function table.


I am using the GS1920 range of switches.  Will the cloud MAC authentication feature be extended to the GS1920 range or am I missing something?

SkyGoat

I see with the release of Nebula Control Center v17, that Nebula Cloud MAC Authentication has been rolled out to more models of switch, incuding the GS1920 range that I have :)

Is there any guide on how to go about configuring it?

As above, I can go to Confugure > Switches > Authentication

I can choose "Nebula cloud authentication" from the drop down menu and fill in the Authentication policy settings.  The "Authentication ports" column "0" is clickable, which links to the Switch Ports page with a "(policy=Test)" search filter applied.  No ports with this policy are found, so I guess I have to enable the policy on each port, but cannot see a way to do so.

How do I enable cloud MAC authentication on a port?

Zyxel_Melen

Hi @SkyGoat,

To enable cloud MAC authentication on a port, you need to change the port type to access port.
Then there will be a new selection "Auth. policy".

Kindly remind, I recommend adding MAC address in cloud auth. MAC list before enable auth. policy. And your GS1920 needs to upgrade to the latest firmware.

SkyGoat

This works well, easy to use, and improves the security of the network. A few questions and observations.

What is the purpose of the "MAC limitation" setting? I've tried increasing and decreasing the number, but cannot see what it does.

If I have an authorized, active device plugged into a port on the switch, and I then revoke it's authorization or delete it from the allowed MAC list, the device is still able to communicate. I left it for over and hour and the device was still communicating. I've found the switch port needs to be disabled and reenabled to force a reconnection and prevent the device communicating. Not sure if this is the desired result, as if I go to the Clients page, select a device and add it to the Policy > Block List, it is prevented from communicating within a few seconds.

Testing this on a GS1920-8HP Firmware v4.80(ABKZ.0).

When adding a new device to the Cloud Authentication list, it can be given a description.

It would be good if the Description entered was automatically used as the description on the Clients list. Currently the Cloud Authentication and Clients descriptions are independent so the device has to be named in both locations.

Zyxel_Melen

Hi @SkyGoat,

Apologize for the late reply.

What is the purpose of the "MAC limitation" setting?
>This is used to specify the maximum number of MAC addresses that may be learned on a port. For example, if you set up the MAC limitation with 5 and connect an 8-port management switch to this limited port, you will find only 4 PC can access the network. (Four PC's MAC addresses and one management switch's MAC address)

For your second question, let me take a look and I will update the result soon. Thanks for bringing this to our attention.

Zyxel_Melen

Hi @SkyGoat,

If the client is still connecting with the switch when you remove the MAC address from the Nebula cloud authentication page, the switch will keep this client in the switch cloud authentication allow list. It is because this client has passed the authentication.

In addition, this client will be denied after the next authentication.