Enterasys D2 D2G124-12P

To Next Page

To Previous Page

Configuring MAC Locking

15-46 Security Configuration

Configuring MAC Locking

ThisfeaturelocksaMACaddresstooneormoreports,preventingconnectionofunauthorized

devicesthroughtheport(s).WhensourceMACaddressesarereceivedonspecifiedports,the

switchdiscardsallsubsequentframes notcontainingtheconfiguredsourceaddresses.Theonly

framesforwardedona“locked”portarethosewith

the“locked”MACaddress(es)forthatport.

TherearetwomethodsoflockingaMACtoaport:firstarrivalandstatic.Thefirstarrivalmethod

isdefinedtobelockingthefirstnnumberofMACswhicharriveonaportconfiguredwithMAC

lockingenabled.Thevaluenis

configuredwiththesetmaclockfirstarrivalcommand.

ThestaticmethodisdefinedtobestaticallyprovisioningaMAC‐portlockusingthesetmaclock

command.ThemaximumnumberofstaticMACaddressesallowedforMAClockingonaport

canbeconfiguredwiththesetmaclockstaticcommand.

Youcanconfigure

theswitchtoissueaviolationtrapifapacketarriveswithasourceMAC

addressdifferentfromanyofthecurrentlylockedMACaddressesforthatport.

MACsareunlockedasaresultof:

•Alinkdownevent

•WhenMAClock ingisdisabledonaport

•WhenaMACisaged

outoftheforwardingdatabasewhenFirstArrivalagingisenabled

Whenproperlyconfigured,MAClockingisanexcellentsecuritytoolasitpreventsMACspoofing

onconfiguredports.AlsoifaMACweretobesecuredbysomethinglikeDragonDynamic

IntrusionDetection,MAClockingwouldmakeitmoredifficultfor

ahackertosendpacketsinto

thenetworkbecausethehackerwouldhavetochangetheirMACaddressandmovetoanother

port.Inthemeantimethesystemadministratorwouldbereceivingamaclocktrapnotification.

Purpose

Toreview,disable,enable,andconfigureMAClocking.

Commands

authenticated mac

address

If authentication has succeeded, displays the MAC address assigned for egress.

vlan id If authentication has succeeded, displays the assigned VLAN id for ingress.

Table 15-50 show vlanauthorization Output Details (Continued)

Output Field What It Displays...

For information about... Refer to page...

show maclock 15-47

show maclock stations 15-48

set maclock enable 15-49

set maclock disable 15-50

set maclock 15-50

clear maclock 15-51

Main Page

Table of Contents

Related product manuals