How to configure port security to disable dynamic MAC learning and allow access to particular device
The port security feature allows user to limit the number of connected devices by limiting the number of dynamic MAC address that can be learned on the port.
However, there are scenarios that we would like only certain trusted/known devices that can have access, but block any unknown “rogue” devices.
Let’s say in a small office network, the goal is to forbid any personal device (such as PC, NB) but only allow company issued equipment to have access.
Furthermore, trusted/known devices may only access the network through their own respective port.
In the example, both PC A and B are company issued equipment that requires access to the network. Any other personal device (PC ?) is absolutely forbidden.
PC A has the authority to have network access in port 1 but not port 2,
while PC B can only access via port 2 and will be blocked on port 1.
The following content provides detailed
procedures on how to allow network access to one specific device via one
specific switch port using port security.
All network addresses and subnet masks are used as examples in this article. Please replace them with your actual network configuration.
1. Configuration of the switch
1-1. Access the web GUI of the Switch.
1-2. Connect PC A to port 1, and PC B to port 2.
1-3. Go to Advanced Application > Port Security
Input port 1,2 in the MAC Freeze list, and click “MAC freeze”.
You will then see Port Security for port 1&2 will be automatically activated, and Address Learning will be disabled.
1-4. Go to Advanced Application > Static MAC Forwarding
The MAC address of PC A and PC B will be automatically added in the static entry list.
In case you don’t have the PCs in hand when configuring.
1) Go to Advanced Application > Static MAC Forwarding, manually input PC A and B’s MAC address for port 1 & 2.
2) Go to Advanced Application > Port Security, activate Port Security and disable Address Learning for port 1 & 2.
2. Test the Result
2-1. Go to Management > MAC Table.
The MAC address entry type of port 1 & 2 should now be “Static”, no matter if PC A or B is connecting or not.
2-2. Connect PC A or any other rogue device to port 2.
Its MAC address cannot be learned by port 2 anymore.
From now on, only PC B (00:1e:33:27:04:93) can access via port 2.
2-3. Connect PC B or any other rogue device to port 1.
Its MAC address cannot be learned by port 1 anymore.
From now on, only PC A (a0:8c:fd:1c:c0:b1) can access via port 1.
3. What May Go Wrong
It’s not allowed to assign one static MAC address to multiple ports, because it doesn't make sense that a single MAC address exists on several ports simultaneously.
Once a static MAC address entry is set on a port, this MAC address will not be learned by any other ports on the switch whether the port security/address learning is activated of not.