Security Tools

Security Tools

The CISCO / BushNET Serial Manager includes a suite of security management tools for configuring ACLs, 802.1X authentication, and port security on the IE3300 switch.

Overview

Tool Purpose
ACL Editor Visual builder for standard and extended Access Control Lists
802.1X Dialog Port-based authentication configuration with RADIUS
Port Security MAC-based port security with sticky learning and violation handling

Access these tools from the Security menu in the main application window.

ACL Editor

The ACL Editor provides a visual interface for creating and managing Access Control Lists without needing to remember complex CLI syntax.

ACL Types

Type Description Use Case
Standard ACL Filters by source IP address only Simple traffic filtering
Extended ACL Filters by source/destination IP, protocol, and ports Detailed traffic control

Creating an ACL

  1. Open Security → ACL Editor
  2. Click Create ACL
  3. Enter the ACL name or number
  4. Select the ACL type (Standard or Extended)

Adding ACL Entries (ACEs)

Each ACE defines a permit or deny rule:

  1. Click Add Entry
  2. Configure the entry:
Field Description
Sequence Order of evaluation (lower numbers evaluated first)
Action permit or deny
Protocol IP, TCP, UDP, ICMP, etc. (extended ACL only)
Source Address Source IP address
Source Wildcard Source wildcard mask
Destination Address Destination IP address (extended ACL only)
Destination Wildcard Destination wildcard mask (extended ACL only)
Source Port Source port operator and value (extended ACL only)
Destination Port Destination port operator and value (extended ACL only)
Log Enable logging of matched packets

Managing Entries

  • Edit — Modify an existing ACE
  • Delete — Remove an ACE
  • Move Up/Down — Reorder ACEs (evaluation order matters)

Applying an ACL to an Interface

  1. Select the target interface from the dropdown
  2. Choose the direction: Inbound or Outbound
  3. Click Apply to Interface

Config Preview

Click Generate Config to preview the Cisco IOS commands before applying:

ip access-list extended BLOCK_TELNET
 10 deny tcp any any eq 23 log
 20 permit ip any any
!
interface GigabitEthernet1/1
 ip access-group BLOCK_TELNET in

802.1X Authentication

The 802.1X dialog provides port-based network access control using IEEE 802.1X authentication.

Overview

802.1X authenticates devices connecting to switch ports using a RADIUS server. Unauthenticated devices are denied network access until they provide valid credentials.

Global Configuration

  1. Open Security → 802.1X Configuration
  2. Click Enable Global to enable 802.1X system-wide
  3. Configure the RADIUS server IP address

Per-Port Configuration

Select a port from the port status table to configure its 802.1X settings:

Setting Options Description
Auth Method auto / force-authorized / force-unauthorized Port authentication mode
Host Mode single-host / multi-host / multi-domain / multi-auth How many devices allowed
Reauth Period 1-65535 seconds Time between re-authentication attempts

Authentication Methods

Method Description
auto Port authenticates using 802.1X; unauthenticated devices are blocked
force-authorized Port is always authorized (no authentication required)
force-unauthorized Port is always unauthorized (no traffic allowed)

Host Modes

Mode Description
single-host Only one device allowed per port
multi-host Multiple devices allowed after first authenticates
multi-domain One device per domain (data + voice)
multi-auth Each device must authenticate individually

Port Status Table

The table shows the current 802.1X status of each port:

  • Interface — Port name
  • Auth State — Authorized / Unauthorized
  • Method — Current authentication method
  • Supplicant MAC — Authenticated device MAC address
  • Assigned VLAN — VLAN assigned by RADIUS (if applicable)

Viewing Statistics

Click Show Statistics to view 802.1X authentication statistics including successful and failed authentication attempts.

Port Security

The Port Security dialog allows you to control which devices can connect to each switch port based on MAC addresses.

Overview

Port security limits the number of MAC addresses learned on a port and defines what happens when a violation occurs (e.g., an unauthorised device connects).

Configuring Port Security

  1. Open Security → Port Security
  2. Select a port from the port security table
  3. Configure:
Setting Description
Enable Turn port security on/off
Maximum MACs Maximum number of allowed MAC addresses (1-132)
Violation Mode Action when a violation occurs
Sticky MAC Dynamically learn and persist MAC addresses

Violation Modes

Mode Description
protect Drops traffic from unauthorised MACs silently
restrict Drops traffic and sends an SNMP trap/syslog message
shutdown Puts the port in error-disabled state

Sticky MAC Addresses

When enabled, the switch dynamically learns MAC addresses and adds them to the running configuration. This means:

  • Devices are automatically authorised on first connection
  • Learned MACs persist across reboots (after write memory)
  • No manual MAC address entry required

Clearing Violations

If a port enters error-disabled state due to a security violation:

  1. Select the affected port
  2. Click Clear Violation to bounce the port (shutdown/no shutdown)

Alternatively, configure auto-recovery:

errdisable recovery cause psecure-violation
errdisable recovery interval 300

Viewing Secure MACs

Click Show MACs to display all MAC addresses learned on the selected port, including:

  • Sticky MACs — Dynamically learned and persisted
  • Static MACs — Manually configured
  • Dynamic MACs — Currently learned (not persisted)

Port Security Status Table

The main table shows the security status of all ports:

Column Description
Interface Port name
Enabled Whether port security is active
Max MACs Maximum allowed MAC addresses
Current MACs Number of MACs currently learned
Violation Mode protect / restrict / shutdown
Status Secure / Violation / Error-disabled
Edit this page on GitHub