MAC Locking
26-8 Configuring Security Features
You can configure the switch to issue a violation trap if a packet arrives with a source MAC
address different from any of the currently locked MAC addresses for that port.
MACs are unlocked as a result of:
• A link down event
• When MAC locking is disabled on a port
• When a MAC is aged out of the forwarding database when FirstArrival aging is enabled
When properly configured, MAC locking is an excellent security tool as it prevents MAC spoofing
on configured ports. Also if a MAC were to be secured by something like Dragon Dynamic
Intrusion Detection, MAC locking would make it more difficult for a hacker to send packets into
the network because the hacker would have to change their MAC address and move to another
port. In the meantime the system administrator would be receiving a maclock trap notification.
MAC locking is disabled by default at device startup. Configuring one or more ports for MAC
locking requires globally enabling it on the device and then enabling it on the desired ports.
First Arrival Configuration
Use the set maclock firstarrival command to restrict MAC locking on a port to a maximum
number of end station addresses first connected to that port (dynamic MAC locking).
By default, the maclock first arrival count resets when the link goes down and dynamic MAC
locking addresses are dropped on loss of link. This feature is beneficial if you have roaming
users—the first arrival count will be reset every time a user moves to another port, but will still
protect against connecting multiple devices on a single port and will protect against MAC address
spoofing.
Use the set maclock agefirstarrival command to enable or disable the aging of first arrival MAC
addresses. When enabled, first arrival MAC addresses that are aged out of the forwarding
database will be removed from the associated port MAC lock.
Use the set maclock clearonlinkchange command to manage the behavior of First Arrival MAC
locking with link state change. By default, dynamic MAC locking addresses are dropped on loss
of link. If you disable clearing of First Arrival MAC locking, First Arrival MAC addresses will be
maintained on a loss of link.
Use the set maclock move command to move all current first arrival MACs to static entries. If
there are more first arrival MACs than the allowed maximum static MACs, then only the latest
first arrival MACs will be moved to static entries. For example, if you set the maximum number of
static MACs to 2 with the set maclock static command, and then executed the set maclock move
command, even though there were five MACs in the first arrival table, only the two most recent
MAC entries would be moved to static entries.
MAC Locking Notifications
You can configure MAC locking notifications as SNMP traps and/or Syslog messages.
Use the set maclock trap command to enable or disable MAC locking SNMP trap messaging, and
to specify when a trap should be sent. You can specify that a trap should be sent:
• If the MAC address table threshold is reached, or
Note: Setting a port’s first arrival limit to 0 does not deny the first MAC address learned on the port
from passing traffic.
To Next Page
Loading...
Need help?
General