9-26
Configuring and Monitoring Port Security
MAC Lockout
How It Works. Let’s say a customer knows there are unauthorized wireless
clients who should not have access to the network. The network administrator
“locks out” the MAC addresses for the wireless clients by using the MAC
Lockout command (lockout-mac <mac-address>). When the wireless clients
then attempt to use the network, the switch recognizes the intruding MAC
addresses and prevents them from sending or receiving data on that network.
If a particular MAC address can be identified as unwanted on the switch then
that MAC Address can be disallowed on all ports on that switch with a single
command. You don’t have to configure every single port—just perform the
command on the switch and it is effective for all ports.
MAC Lockout overrides MAC Lockdown, port security, and 802.1X authenti-
cation.
You cannot use MAC Lockout to lock:
• Broadcast or Multicast Addresses (Switches do not learn these)
• Switch Agents (The switch’s own MAC Address)
If someone using a locked out MAC address tries to send data through the
switch a message is generated in the log file:
Lockout logging format:
W 10/30/03 21:35:15 maclock: module A: 0001e6-1f96c0 detected
on port A15
W 10/30/03 21:35:18 maclock: module A: 0001e6-1f96c0 detected
on port A15
W 10/30/03 21:35:18 maclock: module A: Ceasing lock-out logs
for 5m
As with MAC Lockdown a rate limiting algorithm is used on the log file so that
it does not become overclogged with error messages. (Refer to “Limiting the
Frequency of Log Messages” on page 9-20.)
Displaying status. Locked out ports are listed in the output of the show
running-config command in the CLI. The show lockout-mac command also lists
the locked out MAC addresses, as shown below.
To Next Page
Loading...
Need help?
General
