Preface
This document is meant to provide workflow guidance to secure network traffic in a situation where devices may not always be detectable on the network. Using the Optigo Connect™ system, securing an edge port with a single device is simple with the use of OneClick Secure™; however, in some applications it is not practical or possible to connect one device to each port. One such case is a daisy chained loop of building automation devices.
In this application, some of the devices may not communicate outside of the loop unless a request comes from an external device. This might only happen when a user is looking at the system. The absence of communication to outside the loop means that the Optigo Connect system cannot detect these devices. Optigo Connect relies on data from the edge switch forwarding database (FDB) in order to know what is connected on which port. The FDB is populated using the source MAC addresses when an ethernet frame goes into an edge port, but entries will be automatically removed from the FDB five minutes after there have been no more frames from that source MAC address.
Simple FDB functionality diagram
The result is that multiple devices in the daisy chain will be unknown to the Optigo Connect system at any given time. Your specific application may not be a daisy chain, but if your application has quiet devices that are not guaranteed to send packets to the edge switch a least every five minutes, then this document may be useful.
For pre-reading, you should go through the ports page guide and the OneClick Secure guide.
The simple but difficult method
If you keep a record of each device MAC address and which ports devices are plugged into, you can simply authorize all of them manually. Maintaining this record can be meticulous and difficult, but if you have the data available already, then this is the simplest method.
Steps to Authorize with OneClick Secure
- Choose an edge switch that you wish to work on. Make sure to pair all ports on the edge switch that have a loop before proceeding. You do not need to set the authorization rules yet.
- Go to the "Edge Switches" page, then click on "More" for the desired edge switch. Now go to the the "Ports" tab, and change the VLANs of the device discovery port and the desired ports to isolate the discovery traffic.
If your device discovery port is on a different edge switch, then make sure to change its VLAN beforehand using the "Ports" page.
The VLANs will be changed to 1020 in this example. To change VLANs, click on the VLAN ID box for the desired ports. - Navigate to the "OneClick Security" tab, then use your device discovery (BACnet who-is, Bonjour, etc.) and wait for it to complete.
Once it's completed, and within three minutes, click "Lock Switch". There is no need to modify the checkbox selections, but if you wish, you can uncheck "Secure Inactive Ports". Do not check or uncheck any other option. - Wait for OneClick Secure to complete. Once completed, you should see that any single device ports are now secured. Multi-device ports will have authorization rules added, but the rules will not be enabled.
- Click "View all MACs" on the ports with changed VLANs and check that the discovered devices are correct.
If the list does not look complete, do step three again. If there are extra devices, you will need to go to the device authorization page to remove authorization for the extras. - Change the VLANs back. Repeat steps 2-6 for all desired ports on this edge switch.
- Once all devices on the edge switch have been discovered, go to the "OneClick Security" tab. Make sure that the "Secure Multi-device Ports" option is checked. This will enable authorization rules on all of the ports on this edge switch, and limit traffic according to the authorization rules created.
You can ignore the warning, since if you followed the steps correctly, all quiet devices should now be discovered. OneClick Secure will not remove MAC authorization entries even if the device is no longer detected.
You can review the configurations at any time using the "Ports" tab in the current window, or on the "Ports" page. Click inside the security column to show the current authorization rules. - Repeat steps 1-7 for all edge switches. If you wish to add new devices, click "Unlock" and then repeat steps 2-7. If you wish to remove devices, you will need to use the device authorization page.
Comments
0 comments
Please sign in to leave a comment.