Feature Overview

MAC ACLs filter the network traffic by allowing predefined MAC addresses to access the RUCKUS One network and then bind to a switch port. Port MAC security enables a switch port to process traffic and allows dynamic learning of the MAC addresses as devices connect to the port.

• Create and define a Layer 2 MAC ACL policy at the system Policies & Profiles level and at the switch-specific level.
• Enable port MAC security for one or more switch ports and select the number of dynamically learned MAC addresses to be allowed.
• Bind the MAC ACL to one or more switch ports.

Following are the benefits:

• Efficient and secure switch configuration and simplified network management.
• Secure configuration of individual switch ports to optimize network performance.

Requirements

MAC ACL is supported on all RUCKUS ICX switch models running any of the following FastIron firmware versions:

• 10.0.10g_cd1 and later versions of the 10.0.10 code stream
• 10.0.20b_cd1 and later

Considerations

Consider the following when configuring and using this feature:

• Hardware scaling allows for the following number of MAC ACL filter statements per device model:
  • ICX 7150: 256
  • ICX 7550: 2,048
  • ICX 7650: 1,536
  • ICX 7850: 1,536
  • ICX 8100: 512
  • ICX 8200: 512
• For Port MAC Security, the maximum number of MAC addresses that can be automatically learned is 8256. This number comprises the 64 local resources available for an interface and the additional 8192 global resources shared by default among all PMS-enabled interfaces on the device.
• Consider the following behaviors regarding MAC ACLs:
  • Shared: If you select a MAC ACL defined at the Policies & Profiles level and bind it to a port, the MAC ACL will be synchronized to the switch-level setting and is marked as Shared at the switch-level MAC ACL list. All changes made to the MAC ACL from the Policies & Profiles page will be propagated to the switch. In other words, a shared MAC ACL can be overwritten and will follow the setting defined at the Policies & Profiles level.
  • Customized: You may customize a shared MAC ACL at the switch level, overriding the rules defined in the original MAC ACL under Policies & Profiles. The two MAC ACLs will retain the same name, but the switch-level MAC ACL is marked as Customized, and any changes made at the Policies & Profiles level will no longer be applied to the switch having a Customized MAC ACL.

    You can override the customized MAC ACL setting and follow the definition in Policies & Profiles by clicking the Use Policies & Profiles Level Settings option in the MAC ACL details page. On the contrary, you can override the Policies & Profiles level settings by clicking Customized.

  • When a MAC ACL profile is created at the Profiles & Profiles level, then if you try to create a MAC ACL profile with the same name at the switch level, the switch-level operation is rejected due to a duplicate name.
  • At the port level, the MAC ACL setting at the switch level takes precedence over the Policies & Profiles level.

Best Practices

Following are the recommended best practices regarding this feature:

• Ensure your firmware is up to date to leverage security features and improvements.
• Regularly monitor and audit MAC ACL configurations to ensure they align with your security policies.

Prerequisites

Disable 802.1x, MAC-AUTH, or 802.1x and MAC-AUTH authentication at the port level before configuring the Port MAC Security or MAC ACL options.

Limitations

A port with port security enabled cannot be a member of a Link Aggregation Group (LAG).