ports may have one of these two features enabled and finally the last group of
ports which may have no security at all.
Details of configuring security features are described in 7.11.2, “Configuring the
Security Module” on page 124.
7.11.1 Operation of Security Card
When transmitting a packet, the 8260 Ethernet modules will use either
method 2
or
method 3
as described in 2.2, “Ethernet Segments on the Backplane” on
page 15 for communication across the backplane. In both these methods:
1. The data packet will be transmitted over the Data In NRZ pin and
2. The slot ID and port ID are transmitted in serial over the Serial ID pin
The E-SEC card will listen to the transmitted packets over Data In NRZ pin.
Since each Ethernet packet carries the source and the destination address of the
communicating stations, by monitoring the contents of the transmitted packets
over the Data In NRZ pin, the E-SEC card learns who the packet is coming from
and who the intended recipient is. The E-SEC card also monitors the Serial ID
pin, which allows it to learn which port is sending the transmitted packet. The
monitoring of these two pins, allows the E-SEC card to learn the following:
•
Source address of the packet
•
Destination address of the packet
•
The port transmitting the packet
This information, in conjunction with the contents of the network security address
table allows the E-SEC card to perform both intrusion and eavesdropping
protection.
The following sections describe the theory of operation for each security feature.
7.11.1.1 Intrusion Protection
When performing intrusion protection on a port, the E-SEC card will check the
source address of the packet and its port ID against the network security
address table entries. If a match is found, the transmitting station is an
authorized user. If no match is found, the transmitting station is not authorized
to transmit on the network. Once the E-SEC card has determined the
authorization of the transmitting station, it immediately sends a
security message
to all the media modules attached to that network segment protected by the
E-SEC card. This security message will instruct the media modules to either
pass
or
jam
the transmitted packet on their ports.
Note: The security message is sent on a per packet basis to all the 8260 ports
in the hub which are attached to the segment to which the E-SEC card is
assigned. The security message will be sent on the Serial ID pin.
When doing intrusion protection only, the same security signal (pass or jam) will
be sent to all the ports. If the transmitting station is authorized, the security
message will instruct all the media ports to pass the transmitted packet to the
stations attached to them. If the transmitting station is not authorized, the
security message will instruct all the other ports to jam the transmitted packet.
When the jamming signal is received by an 8620 module for a port, the module
will transmit a packet consisting of 0s and 1s (instead of the actual packet) to the
122 8260 Multiprotocol Intelligent Switching Hub