Switch Management

Introduction

Ethernet switch management is a function of the FireRack Management Server (FMS). The FMS database is set up with a representation of the all the switches and their constituent ports. For each port the database indicates the intended configuration of the port with respect to 802.1q VLAN membership. It can also store information about what device the port is attached to. Special handling can be performed for ports attached to FireRack firewalls and other switches. Configurations are built on the FMS and must be explicitly pushed to the switches, much as with firewall configuration.

802.1q VLAN configuration

The FMS switch configuration engine is capable of configuring untagged and tagged VLAN membership of ports on any SNMP-manageable switch that supports the Q-BRIDGE-MIB (RFC 2674). VLAN definitions are automatically added to and removed from the switches as necessary. It can also handle many Cisco, Allied Telesyn and 3com branded switches. Support for other switches can be added if required.

A hierarchy of switches can be defined in terms of their interconnecting ports. In this case, the FMS will automatically configure these interconnecting ports to carry tagged traffic for all necessary VLANs. Switches at the bottom of the hierarchy will carry the minimum set of VLANs required for devices attached to that switch, whereas the switch at the top of the hierarchy will carry a superset of the VLANs.

The web based management console presents this in a tree view; only the switch at the root of the logical tree needs to carry all the VLANs and this is typically where a FireRack firewall would be attached. When a switch port is defined as being attached to an interface of a FireRack that is configured to do 802.1q tagging, then the switch configuration engine will automatically configure the port with a matching tagged configuration.

Host Tracking

The Host Tracking feature allows the tracking of a host by its MAC address as it moves around an Ethernet. A process running periodically on the FMS will poll each switch via SNMP to determine the set of source MAC addresses recently seen on each port. (Note that if 3com port security is enabled for the port then the port must be in learning mode for changes to be reflected.) Information regarding the presence of each MAC address on each port is recorded in the database and kept up to date. A history is maintained, so that it is possible to see from the management console which ports a given MAC address previously appeared on, or alternatively which MAC addresses previously appeared on a given port.

Locations and Location Groups

A switch port may also be defined as attached to a 'Location'. Multiple ports can be assigned to the same location, so the definition of a location is at the discretion of the network administrator and can be a single network wall outlet, a room, or an entire building. Locations can be grouped together in multiple overlapping 'Location Groups'. These groups allow bulk modification to VLAN settings.

Relationship to Host Registration

Host Registration is a feature of FireRack firewalls that combines IP spoofing protection (MAC Address Validation on ingress and Static Address Resolution on egress) with simplified administration through the use of static DHCP allocation and DNS insertion for hosts on a local Ethernet. When this feature is in use the FMS will have a database of hosts on the network, which will contain various information including the MAC address of the host and the security zones in which they belong.

The switch management console will incorporate information from the Host Registration database to help in the identification of MAC addresses that have been detected on switch ports. Hence you can see at a glance which computer is connected to a switch port, or easily find the location of a given host. Registered Hosts can also be associated with locations, which can be used to highlight any discrepancies between the expected and actual location of a computer.