Which SNMP OID for monitoring unknown MAC after activating port security?

HPandel
HPandel Posts: 4
Friend Collector First Comment
edited August 2022 in Switch
Hello!

We implemented a whole bunch of GS2220 and XGS4600 switches lately and want to use their port security feature. As the whole infrastructure isn't connected to the Internet, we are unable to use any kind of Cloud-based monitoring software. As Zyxel does not seem to provide any kind of smart, central on-premise software for management and monitoring (something I don't understand, because their switches are not low-budget and if you have a look at their competitors...), we are looking to use SNMP for our needs.

We activated port security to control remote device access to our switch ports. Now we would like to get a notification whenever someone connects an unknown new device.

How can this be achieved via SNMP, which OIDs are needed to be monitored, or is there any kind of SNMP trap for this available? I searched through the MIB files, but didn't find anything that seem to fit...

Regards,
Holger

All Replies

  • Zyxel_Melen
    Zyxel_Melen Posts: 1,590  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Hi @HPandel,

    Welcom to Zyxel community.

    We would like to known why you want to know unknown device?
    Port Security only limit the number of MAC address learning. When reach the limit , switch will stop learn MAC address and would not known new MAC address if a new device connects.
    We recommend you to use AAA to authenticate devices. The RADIUS Server will record the unknown device connects.

    Zyxel Melen

  • HPandel
    HPandel Posts: 4
    Friend Collector First Comment
    edited February 2021
    Hi @Nebula_Melen!

    Thanks for your answer, I try to explain:

    We are part of a bigger, decentralized network, that is not completely under our control. The whole AD, DNS, RADIUS, etc. stuff is managed centrally. The only thing we can put our hands on are our switches and the rest of our local infrastructure.

    It is good practice for us (and are ordered to do so, btw) to only allow certain user devices (PCs) on certain switch ports. What makes it complicated, as most of our business rooms are open to the public it is possible that someone else with malicious intent can easily disconnect one of our computers and connect its own. With port security he won't get any connect - BUT we have to get to know that this happened, because we are under external supervision and have to report those findings to a supervisor.

    You know, our business is in Germany, we always need to know everything to be able to report it :-), it is simply a matter of transparency. With our old Cisco switches we had no problem to monitor those events and had a central software that listed every connection attempt on every switch in a single view with time, MAC, switch port, and we were able to "unlock" a new MAC and port from there. We even did not have to connect to the switch, as everything was handled by the software. Sadly, thats not possible with the Zyxel switches now...

    We simply cannot implement any other kind of authentication whatsoever and that's beyond our reach.

    Regards,
    Holger
  • HPandel
    HPandel Posts: 4
    Friend Collector First Comment
    edited February 2021
    Hi @Nebula_Melen!

    Thanks for your question!

    Our business is part of a bigger, centrally mangaged network. Things like AD, DNS, RADIUS are not under our control. We are only able to put our hands on our switches and the rest of the local components. Nothing to discuss or change here.

    As we are being supervised by an external company, we are forced to track every "known" AND "unknown" attempt to connect to our network. So, even if we limit network access via port security, we are forced to report connection attempts. As most of our business rooms are open to the public, it is possible, that someone with malicious intent disconnects one of our computers and connects its own. With port security the port is shut down, thats fine, but we NEED to know time, switch, port, MAC. That is why.

    You know, our business is in Germany, and we always need maximum transparency, even in this special case. We can get into serious legal trouble if we don't take care in this regard.

    With our old Cisco switches, we had a central software that gathered ALL connect events from every switch, and we could analyze and filter to our liking. We even were able to "unlock" ports and add new MAC addresses to the switch tables without connecting to the switch, everything happened in the background. Sadly, that is not possible with the Zyxel devices.

    Regards,
    Holger

  • Zyxel_Melen
    Zyxel_Melen Posts: 1,590  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    edited February 2021
    Hi @HPandel,

    According to your description, we recommend you to use IP Source Guard.
    In IP Source Guard, you can manually add the mac and ip of you devices to white list and active ARP inspection.
    When unknown device attempt to connect to your network, the ARP inspection will check the ARP packet which is sent by unknown device.
    Because the unknown device is not in white list, ARP inspection will block the connection and record to logging.
    You can see the MAC address and IP in system log like the example below.


    These topics can help you how to setup.
    1.How to configure IPSG static binding for trusted network devices
    2.How to configure the switch to prevent ARP spoofing
    If you use DHCP server, you also need to look this topic,
    3.How to configure the switch to protect against rogue dhcp servers

    Hope it helps.

    Zyxel Melen

  • HPandel
    HPandel Posts: 4
    Friend Collector First Comment
    Hi @Nebula_Melen,

    many thanks for your answer. We will test this setup to see if it fits our needs.

    Do you know if the log entries are also sent as SNMP trap?

    Regards,
    Holger

  • Zyxel_Melen
    Zyxel_Melen Posts: 1,590  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Hi @HPandel,

    The log entries are not send to SNMP trap.
    We suggest you use SYSLOG server.
    You can follow this topic to setup : How to configure the switch to backup events on a SYSLOG server

    Hope it helps.

    Zyxel Melen