Enterasys b5

To Next Page

To Previous Page

Configuring MAC Locking

Enterasys B5 CLI Reference 22-57

Example

ThisexampleremovestheentryinthemappingtableforVLAN144.

B5(rw)->show policy maptable

Policy map response : both

Policy map last change : 1 days 17:23:57

VLAN ID Policy Profile

144 4 (Students)

160 7 (Faculty)

B5(rw)->clear policy maptable 144

B5(rw)->show policy maptable

Policy map response : both

Policy map last change : 1 days 17:24:01

VLAN ID Policy Profile

160 7 (Faculty)

Configuring MAC Locking

ThisfeaturelocksaMACaddresstooneormoreports,preventingconnectionofunauthorized

devicesthroughtheport(s).WhensourceMACaddressesarereceivedonspecifiedports,the

switchdiscardsallsubsequentframes notcontainingtheconfiguredsourceaddresses.Theonly

framesforwardedona“locked”portarethosewith

the“locked”MACaddress(es)forthatport.

TherearetwomethodsoflockingaMACtoaport:firstarrivalandstatic.Thefirstarrivalmethod

isdefinedtobelockingthefirstnnumberofMACswhicharriveonaportconfiguredwithMAC

lockingenabled.Thevaluenis

configuredwiththesetmaclockfirstarrivalcommand.

ThestaticmethodisdefinedtobestaticallyprovisioningaMAC‐portlockusingthesetmaclock

command.ThemaximumnumberofstaticMACaddressesallowedforMAClockingonaport

canbeconfiguredwiththesetmaclockstaticcommand.

Youcanconfigure

theswitchtoissueaviolationtrapifapacketarriveswithasourceMAC

addressdifferentfromanyofthecurrentlylockedMACaddressesforthatport.

MACsareunlockedasaresultof:

•Alinkdownevent

•WhenMAClock ing isdisabledonaport

•WhenaMACisaged

outoftheforwardingdatabasewhenFirstArrivalagingisenabled

Whenproperlyconfigured,MAClockingisanexcellentsecuritytoolasitpreventsMACspoofing

onconfiguredports.AlsoifaMACweretobesecuredbysomethinglikeDragonDynamic

IntrusionDetection,MAClockingwouldmakeitmoredifficultfor

ahackertosendpacketsinto

thenetworkbecausethehackerwouldhavetochangetheirMACaddressandmovetoanother

port.Inthemeantimethesystemadministratorwouldbe receivingamaclocktrapnotification.

Purpose

Toreview,disable,enable,andconfigureMAClocking.

Main Page

Table of Contents