× NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Orbi WiFi 7 RBE973

The best way of deploying a static group of MAC addresses on GS752TX that can access the network.

wtosta
Aspirant

The best way of deploying a static group of MAC addresses on GS752TX that can access the network.

I would like to configure the group of ports on the S3300-52X switch so that only the devices within the indicated MAC addresses space can access the LAN and communicate with the other ports. However, devices with foreign MAC addresses must not have the ability to connect. I mainly want to eliminate the possibility of connecting to a LAN with a foreign device.I'm afraid that configuring the VLAN will not solve the problem, because we can not guess which LAN wall socket the intruder will connect to. If he connects to a given VLAN, he will have access to other devices in this VLAN. I don't want this. Therefore, I think the best option will be to define port filtering on MAC addresses. Hence my question. What functionality of the S3300-52X switch is best to use to achieve the goal? MAC filter configuration, Port Security or ACL.

 

Best regards

Model: S3300-52X (GS752TX)|ProSafe 48 ports stackable smart switches
Message 1 of 5

Accepted Solutions
wtosta
Aspirant

Re: The best way of deploying a static group of MAC addresses on GS752TX that can access the netw...

Hello
First of all, thank you very much for the hint which led me to resolve the case.

In order to achieve the blocking of "unknown" MAC addresses on the switch and the admission to the network only defined addresses on the GS752TX with latest at the moment firmware 6.6.4.9 installed you must do the following:

1. Define on selected ports in selected VLANs (if they are set, because by default VLAN1 is set on all ports, this is equivalent to the absence of any VLANs set) MAC addresses of network cards of connected clients. (Note: More than one static MAC can be defined on one port).
Main Menu -> Switching -> Address Table -> Advanced -> Static MAC Addresses


2. Next, in the menu Security -> Traffic Control -> Port Security -> Interface Configuration, select the port with the assigned MAC addresses and, what is important, set the "Max Learned MAC Address" to "0". If you do not set it, the port will continue to accept undefined MAC addresses. Defined MACs will only work on the port assigned to them. We did not want to accept any MAC addresses unknown to the switch. Therefore, setting the "Max Learned MAC Address" to "0" is so important.


I think that the matter can be treated as resolved.

Best regards
Witek

View solution in original post

Model: S3300-52X (GS752TX)|ProSAFE 48-port Stackable Smart Switches
Message 4 of 5

All Replies
DaneA
NETGEAR Employee Retired

Re: The best way of deploying a static group of MAC addresses on GS752TX that can access the netw...

Hi @wtosta,

 

Welcome to the community! 🙂 

 

Here is what I suggest:  First, add the specific MAC Addresses on the Address Table.  To do this, login to the web-GUI of the S3300-52X switch then go to Switching > Address Table > Advanced > Static MAC Address then specify the interface you want to associate the MAC Addresses.  As reference, read page 191 of the S330 Software Administration Manual here.  Then finally, configure Port Security.  

 

Let me share the old forum thread below since your concern is similar to it: 

 

https://community.netgear.com/t5/Smart-Plus-Click-Switches/gs748ts-mac-based-port-security/td-p/1148...

 

If ever your concern has been addressed or resolved, I encourage you to mark the appropriate reply as the “Accepted Solution” so others can be confident in benefiting from the solution. The NETGEAR Community looks forward to hearing from you and being a helpful resource in the future!

 

 

Regards,

 

DaneA

NETGEAR Community Team

Message 2 of 5
DaneA
NETGEAR Employee Retired

Re: The best way of deploying a static group of MAC addresses on GS752TX that can access the netw...

@wtosta,

 

Just want to follow-up on this.  Let us know if you have further inquiries. 

 

Otherwise, if ever your concern has been addressed or resolved, I encourage you to mark the appropriate reply as the “Accepted Solution” so others can be confident in benefiting from the solution. The NETGEAR Community looks forward to hearing from you and being a helpful resource in the future!

 


Regards,

 

DaneA

NETGEAR Community Team

Message 3 of 5
wtosta
Aspirant

Re: The best way of deploying a static group of MAC addresses on GS752TX that can access the netw...

Hello
First of all, thank you very much for the hint which led me to resolve the case.

In order to achieve the blocking of "unknown" MAC addresses on the switch and the admission to the network only defined addresses on the GS752TX with latest at the moment firmware 6.6.4.9 installed you must do the following:

1. Define on selected ports in selected VLANs (if they are set, because by default VLAN1 is set on all ports, this is equivalent to the absence of any VLANs set) MAC addresses of network cards of connected clients. (Note: More than one static MAC can be defined on one port).
Main Menu -> Switching -> Address Table -> Advanced -> Static MAC Addresses


2. Next, in the menu Security -> Traffic Control -> Port Security -> Interface Configuration, select the port with the assigned MAC addresses and, what is important, set the "Max Learned MAC Address" to "0". If you do not set it, the port will continue to accept undefined MAC addresses. Defined MACs will only work on the port assigned to them. We did not want to accept any MAC addresses unknown to the switch. Therefore, setting the "Max Learned MAC Address" to "0" is so important.


I think that the matter can be treated as resolved.

Best regards
Witek

Model: S3300-52X (GS752TX)|ProSAFE 48-port Stackable Smart Switches
Message 4 of 5
DaneA
NETGEAR Employee Retired

Re: The best way of deploying a static group of MAC addresses on GS752TX that can access the netw...

Hi @wtosta,

 

Thank you for your feedback.  I'm glad to know that this matter is now resolved. 🙂 

 

Since your concern has been resolved, I encourage you to mark the appropriate reply as the “Accepted Solution” so others can be confident in benefiting from the solution. The NETGEAR Community looks forward to hearing from you and being a helpful resource in the future!

 


Cheers,

 

DaneA

NETGEAR Community Team

Message 5 of 5
Top Contributors
Discussion stats
  • 4 replies
  • 2547 views
  • 0 kudos
  • 2 in conversation
Announcements