D-Link DES-3828 Product Manual - Page 376
MAC-Based Access Control Commands, Notes About MAC-Based Access Control
UPC - 790069276811
View all D-Link DES-3828 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 376 highlights
xStack DES-3800 Series Layer 3 Stackable Fast Ethernet Managed Switch CLI Manual 56 MAC-BASED ACCESS CONTROL COMMANDS The MAC-Based Access Control feature will allow users to configure a list of MAC addresses, either locally or on a remote RADIUS server, to be authenticated by the Switch and given access rights based on the configurations set on the Switch of the target VLAN where these authenticated users are placed. The Switch will learn MAC addresses of a device through the receipt of ARP packets or DHCP packets and then attempt to match them on the authenticating list. If the client has not been configured for DHCP or does not have an IP configuration in static mode, then MAC addresses cannot be discovered and the client will not be authenticated. Ports and MAC addresses awaiting authentication are placed in the Guest VLAN where the Switch administrator can assign limited rights and privileges. For local authentication on the Switch, the user must enter a list of MAC addresses to be accepted through this mechanism using the MAC-Based Access Control Local Database Settings window, as seen below. The user may enter up to 1024 MAC addresses locally on the Switch but only sixteen MAC addresses can be accepted per physical MAC-Based Access Control enabled port. Once a MAC addresses has been authenticated by the Switch on the local side, the port where that MAC address resides will be placed in the previously configured target VLAN, where the rights and privileges are set by the switch administrator. If the VLAN Name for the target VLAN is not found by the Switch, the Switch will return the MAC address to the originating VLAN. If the MAC address is not found, then if the port is in the Guest VLAN, it will remain in the Guest VLAN, with the associated rights. If the port is not in the guest VLAN, this MAC address will be blocked by the Switch. For remote RADIUS server authentication, the user must first configure the RADIUS server with a list of MAC addresses and relative target VLANs that are to be authenticated on the Switch. Once a MAC address has been discovered by the Switch through ARP or DHCP packets, the Switch will then query the remote RADIUS server with this potential MAC address, using a RADIUS Access Request packet. If a match is made with this MAC address, the RADIUS server will return a notification stating that the MAC address has been accepted and is to be placed in the target VLAN. If the VID for the target VLAN is not found by the Switch, the Switch will create its own MAC-Based Access Control VLAN, named MBA-xx, where the xx is the VID of the first available VLAN ID that can be assigned to this VLAN. If the MAC address is not found, then if the port is in the Guest VLAN, it will remain in the Guest VLAN, with the associated rights. If the port is not in the guest VLAN, this MAC address will be blocked by the Switch. Notes About MAC-Based Access Control There are certain limitations and regulations regarding the MAC-Based Access Control: 1. Once this feature is enabled for a port, the Switch will clear the FDB of that port. 2. If a port is granted clearance for a MAC address within a VLAN that is NOT a Guest VLAN, other MAC addresses on that port must be authenticated for access and otherwise will be blocked by the switch. 3. MAC-Based Access Control is its own entity and is not dependant on other authentication functions on the Switch, such as 802.1X, Web-Based authentication etc... 4. For authenticating VLANs that are not Guest VLANs, a port accepts a maximum of sixteen authenticated MAC addresses per physical port. Other MAC addresses attempting authentication on a port with the maximum number of authenticated MAC addresses will be blocked. 5. Ports that have been enabled for Link Aggregation, stacking, 802.1X authentication, 802.1X Guest VLAN, Port Security, GVRP or Web-Based authentication cannot be enabled for the MAC-Based Authentication. The MAC-based Access Control commands in the Command Line Interface (CLI) are listed (along with the appropriate parameters) in the following table. Command Parameters enable mac_based_access_control disable mac_based_access_control config mac_based_access_control {ports [ | all] state [enable | disable] | method [local | radius] | password } show mac_based_access_control {ports [ | all]} create mac_based_access_control guest_vlan config mac_based_access_control guest_vlan ports delete mac_based_access_control guest_vlan 372