How to Configure Ports

---

In Policy Manager, you can specify a port's authentication settings, as well as specify a default role for the port, freeze or unfreeze a port, enable or disable the Drop VLAN Tagged Frames and MAC Locking features, enable CEP (Convergence End Point) protocols, and set other port settings. There are two ways to configure ports:

• Using the Port Configuration Wizard: The Port Configuration Wizard is a series of windows that leads you through all the steps required to configure ports. You can configure a single port with the wizard, but it is even more useful for configuring multiple ports simultaneously. To configure authentication for a port in a Pre-Defined Port Group, you must use the Port Configuration Wizard.
• Using the Port Properties Window: You can use the Port Properties window to configure port settings for a single port.

Instructions on:

• Using the Port Configuration Wizard
• Using the Port Properties Window

Using the Port Configuration Wizard

The Port Configuration Wizard is a series of windows that leads you through all the steps required to configure a port or ports, including setting the port mode, login settings, and default role. Use the Port Configuration Wizard to configure single or multiple ports simultaneously. You must configure and enable authentication on the device before any port authentication settings will take effect (see How to Configure Devices).

The Wizard also lets you create a port configuration template based on a port configuration so that you can easily configure ports that have the same configuration requirements. Once you create the template you can reuse it whenever you need that specific port configuration by simply loading the template into the Port Configuration Wizard.

1. From the menu bar, select Tools > Port Configuration Wizard. The Port Configuration Wizard opens.
2. This step depends on whether or not you are using a Port Configuration Template:
   • To use a Port Configuration Wizard Template, click the Load button and select the template from the list in the Open Template window. After the template has loaded, you can select Jump to Port Selection to select your ports, or you can proceed with the wizard and select options to configure to edit the template configuration.
   • If you are not using a using a Port Configuration Wizard Template, proceed with selecting options to configure.

Select Options to Configure

In the Port Configuration window, select the configurations you wish to perform:

• Authentication
  Lets you configure your port authentication. Refer to the NetSight Firmware Support tables for information on the authentication types supported by each device type. For more information on the different types of authentication, see Authentication Types.
• Default Role & Drop VLAN Tagged Frames - Lets you assign a default role and enable the Drop VLAN Tagged Frames feature on the ports. A port's default role takes effect when an end user on a port fails to authenticate, or if authentication is inactive on the port. See Default Role for more information. If you set a default role for the ports, it is recommended that you enable the Drop VLAN Tagged Frames feature. This feature lets you set the ports so that any packet already tagged with a VLAN coming into the ports will be dropped. See Drop VLAN Tagged Frames for more information.
• Frozen Status - Enables you to "lock" the ports so that no one can accidentally reconfigure its sensitive attributes. See How to Freeze/Unfreeze a Port for more information.
• MAC Locking - Lets you enable MAC Locking on ports, if the device on which the port is located supports it.
• Disable Traffic Classification Types - Lets you create a list of rule types that will be disabled on the ports.
• Egress Policy Status - Lets you enable Egress Policy on ports, if the device on which the port is located supports it.
• RFC3580 VLAN Authorization - Lets you enable or disable RFC 3580 VLAN Authorization on the ports and specify an egress state.
• Tagged Packet VLAN to Role Mapping - Lets you configure Tagged Packet VLAN to Role mappings on the ports. These mappings provide a way to let ports assign a role to network traffic, based on a VLAN ID.
• MAC/IP to Role Mapping - Lets you configure MAC or IP to role mappings on the ports. These mappings provide a way to let ports assign a role to an end station based on its source MAC or IP address.

Configure Settings

The sequence of windows you see next depends on the selections you made in the Port Configuration window.

	NOTE:	Each window provides the option to use the current configuration on the port(s), or set a new configuration. If you select Use Current Configuration on Port(s), the default settings in the window are visible, but are unavailable for entry or editing. Keep in mind that these values do not necessarily reflect the current settings on the port.

Port Authentication Configuration Window

Select the authentication parameters you wish to configure. The selections you make here will determine the other Authentication configuration windows you will see.

• Shared Settings
  • Port Mode (802.1X , MAC, Web-Based, CEP, Quarantine, Auto Tracking) - Defines whether or not end users are required to authenticate, and how unauthenticated traffic will be handled. See Port Mode for more information.
  • Hold Time (802.1X, MAC, Web-Based) - (Also known as Quiet Period in web-based and MAC authentication.) Amount of time (in seconds) authentication will remain timed out after the specified Timeout Number has been reached.
  • Automatic Re-Authentication (802.1X, MAC) - Lets you enable the periodic automatic re-authentication of logged-in users.
  • Authenticated User Counts (802.1X, MAC, Web-Based) - The number of users that can be actively authenticated or have authentications in progress at one time on a port. This option is for ports on devices with Multi-User as their configured authentication type.
• 802.1X Settings
  • Authentication Request Period - How often (in seconds) the device queries the port to see if there is a new user on it. If a user is found, the device then attempts to authenticate the user.
  • User Timeout - The amount of time (in seconds) the device waits for an answer when querying the port for the existence of a user.
  • Authentication Server Timeout - If a user is found on the port, the amount of time (in seconds) the device waits for a response from the authentication server before timing out.
  • Port Handshake Requests - The number of times the device tries to finalize the authentication process with the user, before the authentication request is considered invalid and authentication fails.
• Web-Based Settings
  • Timeout Number - Number of times a user can attempt to log in before authentication fails and login attempts are not allowed.
• CEP Settings
  • CEP Protocol Enable - Lets you enable various CEP (Convergence End Point) protocols on ports, if the device on which the port is located supports CEP. See How to Configure CEP for more information.

Port Mode Window (802.1X, MAC, Web-Based, CEP, Quarantine, Auto Tracking)

Specify the desired port mode for ports. Port mode defines whether or not a user is required to authenticate on a port, and how unauthenticated traffic will be handled. It is a combination of Authentication Behavior (whether or not authentication is enabled on a port), and Unauthenticated Behavior (whether unauthenticated traffic will be assigned to a port's default role or discarded). See Port Mode for a complete description of each port mode.

	NOTES:	If you set the ports' Authentication Behavior to Active, it is recommended that you enable the Drop VLAN Tagged Frames feature on the ports. For Single User 802.1X or 802.1X+MAC authentication: If you set port mode to Active/Default Role, then the selected default role will be automatically set on the configured ports. If you set port mode to Active/Discard, then any default role assigned to the ports will be automatically cleared.

In addition, the Port Mode window provides checkboxes that allow you to disable a specific authentication type at the port level. If the device is only configured with one authentication type, selecting the corresponding checkbox will result in the port Authentication Behavior being set to Inactive.

	NOTES:	— For Single User 802.1X+MAC authentication with Active/Default Role as the selected port mode: Disabling 802.1X authentication also disables MAC authentication on the port. An end user connecting to the port will not be able to authenticate via 802.1X or MAC. The port will behave as if Inactive/Default Role is the selected port mode. — For Multi-User Web-Based authentication with Active/Discard as the selected port mode: The "Disable Web-Based authentication for specified port(s)" checkbox is automatically selected because multi-user web-based authentication does not support the Active/Discard port mode.

Hold Time Window (802.1X, MAC, Web-Based)

Enter the amount of time (in seconds) authentication will remain timed out after the specified Timeout Number has been reached. Valid values are 0-65535. The default is 60. (Hold Time is also known as Quiet Period in web-based and MAC authentication.)

Authentication Request Period Window (802.1X)

Enter how often (in seconds) the device should query the port to see if there is a new user on it. Valid values are 1-65535. The default is 30.

User Timeout Window (802.1X)

Enter the amount of time (in seconds) the device should wait for an answer when querying the port for the existence of a user. Valid values are 1-300. The default is 30.

Authentication Server Timeout Window (802.1X)

Enter the amount of time (in seconds) the device should wait for a response from the authentication server before timing out, if a user is found on the port. Valid values are 1-300. The default is 30.

Port Handshake Requests Window (802.1X)

Enter the number of times the device should try to finalize the authentication process with the user, before the authentication request is considered invalid and authentication fails. Valid values are 1-10. The default is 2.

Automatic Re-Authentication Window (802.1X, MAC)

Enable or disable the automatic re-authentication feature by setting the Re-Authentication Status to Active (enabled) or Inactive (disabled). This specifies whether or not the device should periodically repeat the authentication process for logged-in users on this port. If you activate automatic re-authentication, specify how often this should occur (Re-Authentication Frequency), in seconds. Valid values are 1-2147483647. The default is 3600.

Authenticated User Counts Window (802.1X, MAC, Web-Based)

This option is for ports on devices with Multi-User as their configured authentication type. Enter the maximum number of users that can be actively authenticated or have authentications in progress at one time on the specified ports. The maximum number allowed varies for different port types. If you set this value below the current number of users on the ports, end user sessions exceeding that number will be terminated.  If you have selected MAC as a Multi-User authentication type, enter the maximum number of users that can be actively authenticated via MAC authentication, or have MAC authentications in progress at one time on this interface. The number of allowed MAC users cannot exceed the number of allowed users. If you set this value below the current number of users, end user sessions exceeding that number will be terminated.

Timeout Number Window (Web-Based)

Enter the number of times a user can attempt to log in before authentication times out and further login attempts are not allowed. Valid values are 1-2147483647. Zero is not allowed. The default is 2.

CEP Protocol Enable Window

Enable or disable various CEP protocols for the ports being configured. The table lists all the CEP protocols currently supported by Policy Manager. Use the checkboxes (or the Enable All and Disable All buttons) to enable or disable the desired CEP protocols. You must configure and enable CEP on the device in addition to configuring CEP on the ports (see How to Configure Devices).

Default Role Window

Use the drop-down list to select a default role for the ports. If you already set the ports' Authentication Behavior to Active and specified a default role in the Port Mode window, then this panel will be disabled. Select the Clear the current default role option to set the default role back to <None>. If you set a default role for the ports, it is recommended that you enable the Drop VLAN Tagged Frames feature.

Drop VLAN Tagged Frames Window

Choose whether or not you want packets already tagged with a VLAN to be dropped from the ports. Usually you would have this enabled for user ports and disabled for interswitch ports. See Drop VLAN Tagged Frames for more information.

WARNING:

Enabling this feature on an interswitch or backplane port is likely to result in loss of contact with devices connected through the port.

Frozen Status Window

Enables you to "lock" the ports so that no one can accidentally reconfigure its sensitive attributes. Select either the Set Frozen or Clear Frozen option.

MAC Locking Window

Enable or disable MAC Locking for the ports being configured. You can also set the maximum number of MAC addresses that are allowed to be locked dynamically or statically on a port. Use the Static Locked MAC Addresses table to create a list of locked MAC addresses, so that the ports only accepts traffic from those MAC addresses. Click Add to open the Enter Static Locked MAC window, where you can enter a MAC address to add to the list. Click Remove to remove a selected entry from the Locked MAC Addresses list.

TCI Overwrite Window

Enable or disable TCI Overwrite functionality for the ports being configured. Enabling TCI Overwrite causes the VLAN or class of service tag in a received packet to be overwritten by the VLAN (access control) and class of service characteristics defined in the port's current or default role. If there is no role assigned to the port, the port uses any static classification rules which exist. If there are no static rules, the port uses the PVID and default class of service for the port.

TCI Overwrite is required for some devices for Tagged Packet VLAN to Role Mapping, and can be enabled either here at the port level, or for an individual role in the role's General tab.

Disable Traffic Classification Types Window

Create a list of traffic classification rule types that will be disabled on the ports. For example, you can disable the VLAN ID traffic classification type to disable Tagged Packet VLAN to Role Mapping on the ports you are configuring. Click Add to open the Traffic Classification Type wizard where you can select the rule type you want to add to the list, or click Add All to add all rule types to the list. Adding all rule types would disable all traffic classification on the port, and the role's default class of service and/or default access control would take effect. Click Remove to remove selected rule types from the list.

Egress Policy Status Window

Enable or disable Egress Policy for the ports being configured. Egress policy can be used in scenarios where policy may not be in force at the user edge throughout the entire network. For example, a policy can be created that prevents users from running unauthorized Apache web servers. If an end user has an Apache server running on their end-system (where policy is in use), an egress policy could prevent another end-system (where policy is not in use) from accessing that end-system as an HTTP server, by dropping HTTP queries destined to that end user. Egress policy works in conjunction with the ingress policy configured for the port, in that the same ingress policy rules will be applied to the traffic egressing the port, with the exception of rules that specify a source or destination address. In this case, the ingress rules will still be used, but the direction of the rule will be inverted on egress. For example, an ingress MAC Address Source rule will match the destination MAC address of the frame on egress. If you enable egress policy, you must also enable TCI Overwrite.

RFC3580 VLAN Authorization Window

Enable or disable RFC 3580 VLAN Authorization for the ports being configured. VLAN Authorization must be enabled in networks where the RADIUS server has been configured to return a VLAN ID when a user authenticates. When RFC 3580 VLAN Authorization is enabled:

• ports on devices that do not support policy, will tag packets with the VLAN ID.
• ports on devices that do support policy and also support Authentication-Based VLAN to Role Mapping, will classify packets according to the role that the VLAN Attribute maps to.

You can also modify the VLAN egress list for the VLAN ID returned by the RADIUS server when a user authenticates on the port:

• None - No modification to the VLAN egress list will be made.
• Tagged - The port will be added to the list with the egress state set to Tagged (frames will be forwarded as tagged).
• Untagged - The port will be added to the list with the egress state set to Untagged (frames will be forwarded as untagged).
• Dynamic - The port will use information returned in the RADIUS response to modify the VLAN egress list. This value is supported only if the device supports a mechanism through which the egress state may be returned in the RADIUS response.

The current egress settings for the port are displayed in the VLAN Oper Egress column in the End User Sessions table on the Port Usage tabs.

Tagged Packet VLAN to Role Mapping Window

Use this window to either remove all port-level mappings from the selected ports, or create a list of mappings to append to the ports. Click Add to open the VLAN to Role Mapping Selection View, where you can select a VLAN and map it to a role. Click Remove to remove selected mappings from the list. You must have the Port Level Role Mappings feature enabled in Policy Manager for these mappings to take effect. (From the menu bar, select the Edit > Port Level Role Mappings checkbox.) If the feature is not enabled, the mappings will be ignored. Mappings will not be added or removed to or from frozen ports. You must first clear the frozen state on a port in order to add or remove a mapping.

	NOTES:	TCI Overwrite Requirement Tagged Packet VLAN to Role Mapping will apply the Role definition to incoming packets using a mapped VLAN. This definition will apply a COS and determine if the packet is discarded or permitted, and if TCI Overwrite is enabled will re-specify the VLAN ID defined by the Rule / Role Default. If TCI Overwrite is disabled, the packet will egress (if permitted by the Rule Hit) with the original VLAN ID it ingressed with. If supported by the device, you can enable TCI Overwrite on a per-port basis in the Port Properties window General tab, or for an individual role in the role's General tab. The stackable devices support rewriting the CoS values but not the VLAN ID.

MAC/IP to Role Mapping Window

Use this window to either remove all port-level mappings from the selected ports, or create a list of mappings to append to the ports. Click Add to add a MAC or IP to Role Mapping to the list. Click Remove to remove selected mappings from the list. You must have the Port Level Role Mappings feature enabled in Policy Manager for these mappings to take effect. (From the menu bar, select the Edit > Port Level Role Mappings checkbox.) If the feature is not enabled, the mappings will be ignored. Mappings will not be added or removed to or from frozen ports. You must first clear the frozen state on a port in order to add or remove a mapping.

WARNING:

Enforcing port-level MAC or IP to Role mappings could potentially remove rules created by NetSight Automated Security Manager (ASM) as an intrusion detection response.

Select Ports

In the Port Selection window, you can select the ports you want to include or exclude from this configuration.

1. In the Devices field, expand the folders and select the ports you want to configure.
2. Click Add Include to include the selected ports in this configuration or click Add Exclude to exclude the ports from the configuration. For example, you may want to configure all your 10/100 ports except printer ports. You would select the Pre-Defined Port Group of 10/100 ports and click Add Include. Then you would select a User-Defined Port Group of printer ports and click Add Exclude.
3. To remove a port from the Include Ports or Exclude Ports fields, select the port and click Remove.
4. If you would like to save this device configuration as a template, click Save. The Save Template window opens where you can provide a name for the template.
5. Click Finish. The settings will take effect.

	NOTE:	You must configure and enable authentication on the device before any port authentication settings will take effect (see How to Configure Devices).

Using the Port Properties Window

Configuring a port using the Port Properties window accomplishes the same things as the Port Configuration Wizard, but also enables you to view the current configuration on the port. To configure authentication for a port in a Pre-Defined Port Group, you must use the Port Configuration Wizard.

• Assigning Default Roles to Ports
• Clearing Default Roles from Ports
• Disabling Traffic Classification Rules on Ports
• Enabling CEP Protocol
• Enabling Drop VLAN Tagged Frames
• Freezing/Unfreezing Ports
• Locking MAC Addresses to Ports
• Setting Port Authentication
• Terminating a Session

Assigning Default Roles to Ports

You can assign a default role to a single port, or to multiple ports. If you set a default role for a port, it is recommended that you enable the Drop VLAN Tagged Frames feature.

	NOTE:	Setting a default role on an ExtremeWireless Wireless Controller port that is not yet a VNS, creates a new VNS on the wireless controller.

Single Port

1. Select a device in the left-panel Network Elements tab and expand a slot or ports grouping in the right-panel Details view.
2. Right-click the desired port and select Properties from the menu. In the Port Properties window, select the General tab (in the top row of tabs).
3. Select the Role Status sub-tab. You can view the default role for the port. Click the Select button to select a new default role. This opens the Selection View, where you can select an existing role. Select the Clear the current default role option to set the default role back to <None>. Click OK.

Multiple Ports

There are two ways to assign a default role to multiple ports:

• Using the Default Role Window in the Port Configuration Wizard. Using the wizard is most useful when you want to do other port configuration tasks as well.
• Assigning the default role to a device, a device group, or a pre-defined or user-defined port group, as follows:
  1. For a device or device group: in the left-panel Network Elements tab, right-click the device or device group that includes the ports to which you want to assign the default role, and select Set Default Role from the menu.
     For a port group: in the left-panel Port Groups tab, right-click the group for the ports to which you want to assign the default role, and select Set Default Role from the menu.
  2. In the Selection View, select the role you want to assign as the default. Click OK.

Clearing Default Roles from Ports

You can clear the default role from a single port, or from multiple ports.

Single Port

1. Select a device in the left-panel Network Elements tab and expand a slot or ports grouping in the right-panel Details view.
2. Right-click the desired port and select Properties from the menu. In the Port Properties window, select the General tab (in the top row of tabs).
3. Select the Role Status sub-tab. Click the Select button to select a new default role. This opens the Selection View, where you can select the Clear the current default role option to set the default role back to <None>.
4. Click OK.

	NOTE:	If you are replacing the current default role with another one, you don't need to clear the current default role. Selecting the new default role and clicking OK clears the previous default role automatically.

Multiple Ports

There are two ways to clear the default role from multiple ports:

• Using the Clear the current default role option on the Default Role Window in the Port Configuration Wizard. Using the wizard is most useful when you want to do other port configuration tasks as well.
  
• Clearing the default role from a device, a device group, or a port group, as follows:
  
  1. For a device or device group: in the left-panel Network Elements tab, right-click the device or device group that includes the ports to which you want to assign the default role, and select Set Default Role from the menu.
     For a port group: in the left-panel Port Groups tab, right-click the group of ports to which you want to assign the default role, and select Set Default Role from the menu.
  2. In the Selection View, select the Clear the current default role box.
  3. Click OK.

  	NOTE:	If you are replacing the current default role with another one, you don't need to clear the current default role. Selecting the new default role and clicking OK clears the previous default role automatically.

Disabling Traffic Classification Rules on Ports

You can create a list of traffic classification rule types to disable on a port using the Port Properties window. For example, you could disable the VLAN ID traffic classification type, which would disable Tagged Packet VLAN to Role Mapping on the port.

1. Select a device in the left-panel Network Elements tab and expand a slot or ports grouping in the right-panel Details view.
2. Right-click the desired port and select Properties from the menu. In the Port Properties window, select the General tab (in the top row of tabs).
3. Select the Disabled Traffic Classification Types sub-tab.
4. Use the Add button to open the Traffic Classification Type wizard and create the list of rules you want to disable.

Enabling CEP Protocol

You can enable and disable CEP protocols for a specific port using the CEP Access sub-tab on the Port Properties window Authentication Configuration tab. (You can enable CEP protocols for multiple selected ports using the Port Configuration wizard.) In order for CEP to take effect on a port, it must also be enabled at the device level. You can do this using the Device Configuration wizard, or the device Authentication tab. See How to Configure CEP for more information.

Enabling Drop VLAN Tagged Frames

When the Drop VLAN Tagged Frames feature is enabled, any packet already tagged with a VLAN coming into the port will be dropped. Usually you would enable this for user ports, and disable it for interswitch ports.

WARNING:

Enabling this feature on an interswitch or backplane port is likely to result in loss of contact with devices connected through the port.

1. Select a device in the left-panel Network Elements tab and expand a slot or ports grouping in the right-panel Details view.
2. Right-click the desired port and select Properties from the menu. In the Port Properties window, select the General tab (in the top row of tabs).
3. Select the Drop VLAN Tagged Frames sub-tab. In this tab, select the Enable button.
4. Click Enforce on the toolbar, review the effects of enforcing in the Enforce Preview window if it is enabled, then click Enforce on that window.

Freezing/Unfreezing Ports

See How to Freeze/Unfreeze a Port.

Locking MAC Addresses to Ports

See How to Lock MAC Addresses to Ports.

Setting Port Authentication

You can configure authentication settings for a selected port in the Port Properties window. Before any port authentication settings will take effect, you must configure and enable authentication on the device (see How to Configure Devices).

	NOTE:	In order to configure authentication for a port in a Pre-Defined Port Group, you must use the Port Configuration Wizard.

1. Select a device in the left-panel Network Elements tab and expand a slot or ports grouping in the right-panel Details view.
2. Right-click the desired port and select Properties from the menu. In the Port Properties window, select the Authentication Configuration tab (in the top row of tabs).
3. Use the sub-tabs to make changes as required.

Terminating a Session

Terminating a session causes the port to be re-initialized. The user loses the access rights of the current role on the port and reverts to the access rights specified for unauthenticated behavior on the port, until he or she authenticates again.

With web-based authentication, the user must log in again using the authentication web page after the port re-initializes. With 802.1X authentication on Windows 2000, the user is prompted to log in again after the port re-initializes. With 802.1X authentication on the Windows XP platform, the user is automatically reauthenticated immediately after the port re-initializes, and no login prompt occurs.

You can terminate an authenticated session on a single port in the Port Properties Window or multiple ports in the Port Usage tab for a device, a device group, or a port group. If sequential multiple ports are selected, only authenticated sessions whose Terminate Cause is "Not Applicable" are affected. You cannot terminate sessions on frozen ports and you cannot terminate Role Override (IP) or Role Override (MAC) sessions that were created through the CLI (command line interface).

	NOTE:	For 802.1X authentication on the Windows XP platform, if you terminate a user's session, the user is automatically reauthenticated, unless there has been a policy change or a change in the user's authentication status (e.g., the user has been removed from the authentication list).

Single Port

1. Select a device in the left-panel Network Elements tab and expand a slot or ports grouping in the right-panel Details view.
2. Right-click the desired port and select Properties from the menu. In the Port Properties window, select the Port Usage tab (in the top row of tabs).
3. Select the End User Sessions sub-tab. You must click Retrieve to display the port information in the table.
4. Select an active session and click Terminate to end the session. If multiple sessions are selected, only active sessions will be terminated. You cannot terminate a session on a frozen port and you cannot terminate Role Override (IP) or Role Override (MAC) sessions that were created through the CLI (command line interface).
5. Click Yes to confirm that you want to terminate.

Multiple Ports

Select the right panel Port Usage tab for one of the following left-panel selections, depending on the ports whose session(s) you want to terminate:

• Device
• My Network/All Devices Folder
• Device Group
• Port Group

---

Related Information

For information on related concepts:

• Port Mode
• MAC Locking

For information on related tasks:

• Authentication Configuration Guide
• 802.1X Authentication Configuration Supplement

For information on related windows:

• Port Properties - Authentication Configuration Tab
• Port Properties - Port Usage Tab
• Port Properties - General Tab